<html>

<head>
<meta name=标题 content="">
<meta name=关键词 content="">
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 15 (filtered)">
<style>
<!--
 /* Font Definitions */
@font-face
	{font-family:"Courier New";
	panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
	{font-family:Times;
	panose-1:0 0 5 0 0 0 0 2 0 0;}
@font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:DengXian;
	panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
	{font-family:"\@DengXian";}
@font-face
	{font-family:"Microsoft YaHei";
	panose-1:2 11 5 3 2 2 4 2 2 4;}
@font-face
	{font-family:"\@Microsoft YaHei";}
@font-face
	{font-family:Menlo;
	panose-1:2 11 6 9 3 8 4 2 2 4;}
 /* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	text-align:justify;
	text-justify:inter-ideograph;
	font-size:12.0pt;
	font-family:DengXian;}
code
	{font-family:Courier;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{margin:0cm;
	margin-bottom:.0001pt;
	text-align:justify;
	text-justify:inter-ideograph;
	text-indent:21.0pt;
	font-size:12.0pt;
	font-family:DengXian;}
p.a, li.a, div.a
	{margin:0cm;
	margin-bottom:.0001pt;
	text-align:justify;
	text-justify:inter-ideograph;
	line-height:200%;
	font-size:12.0pt;
	font-family:"Microsoft YaHei";}
 /* Page Definitions */
@page WordSection1
	{size:595.0pt 842.0pt;
	margin:72.0pt 90.0pt 72.0pt 90.0pt;
	layout-grid:15.6pt;}
div.WordSection1
	{page:WordSection1;}
 /* List Definitions */
ol
	{margin-bottom:0cm;}
ul
	{margin-bottom:0cm;}
-->
</style>

</head>

<body lang=ZH-CN style='text-justify-trim:punctuation'>

<div class=WordSection1 style='layout-grid:15.6pt'>

<p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
style='font-size:14.0pt;line-height:200%;font-family:"Microsoft YaHei"'>iptables</span></b></p>

<p class=MsoNormal align=left style='margin-bottom:12.0pt;text-align:left;
text-indent:21.0pt;line-height:200%;text-autospace:none'><span lang=EN-US
style='font-family:"Microsoft YaHei";color:black;vertical-align:sub'>iptables</span><span
style='font-family:"Microsoft YaHei";color:black;vertical-align:sub'>指令用来设置<span
lang=EN-US>Linux</span>内核的<span lang=EN-US>ip</span>过滤规则以及管理<span lang=EN-US>nat</span>功能。<span
lang=EN-US>iptables</span>用于在<span lang=EN-US>Linux</span>内核中设置、维护和检查<span
lang=EN-US>IPv4</span>数据包过滤规则表。可以定义几个不同的表。每个表包含许多内置链，也可能包含用户定义的链。每个链都是一个规则列表，可以匹配一组数据包。每条规则都指定如何处理匹配的数据包。这被称为<span
lang=EN-US>“</span>目标<span lang=EN-US>”</span>，它可能是跳转到同一表中的用户定义链。</span></p>

<p class=MsoNormal align=left style='margin-bottom:12.0pt;text-align:left;
text-indent:21.0pt;line-height:200%;text-autospace:none'><span
style='font-family:"Microsoft YaHei";color:black;vertical-align:sub'>此命令的适用范围：<span
lang=EN-US>RedHat</span>、<span lang=EN-US>RHEL</span>、<span lang=EN-US>Ubuntu</span>、<span
lang=EN-US>CentOS</span>、<span lang=EN-US>SUSE</span>、<span lang=EN-US>openSUSE</span>、<span
lang=EN-US>Fedora</span>。</span></p>

<p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
style='font-family:"Microsoft YaHei"'>&nbsp;</span></b></p>

<p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
style='font-family:"Microsoft YaHei"'>1</span></b><b><span style='font-family:
"Microsoft YaHei"'>、语法</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>iptables  [-t table]  {-A|-D}  chain
 rule-specification</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>iptables  [-t table]  -I  chain
 [rulenum]  rule-specification</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>iptables  [-t table]  -R  chain
 rulenum  rule-specification</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>iptables  [-t table]  -D  chain
 rulenum</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>iptables  [-t table]  -S  [chain
[rulenum]]</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>iptables  [-t table]  {-F|-L|-Z}
 [chain [rulenum]]  [options...]</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>iptables  [-t table]  -N  chain</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>iptables  [-t table]  -X  [chain]</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>iptables  [-t table]  -P  chain
 target</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>iptables  [-t table]  -E  old-chain-name
 new-chain-name  rule-specification = [matches...] [target]</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>match = -m matchname
[per-match-options]  target = -j targetname [per-target-options]</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>目前<span lang=EN-US>Linux</span>内核支持<span
lang=EN-US>3</span>个相互独立的表：<span lang=EN-US>filter</span>，过滤<span lang=EN-US>ip</span>数据包；<span
lang=EN-US>nat</span>，配置<span lang=EN-US>nat</span>功能；<span lang=EN-US>mangle</span>，修改<span
lang=EN-US>ip</span>数据包。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>filter</span><span
style='font-family:"Microsoft YaHei"'>是默认表，包含<span lang=EN-US>INPUT</span>（发送给本机）
、<span lang=EN-US>OUTPUT</span>（本机向外发送）、<span lang=EN-US>FORWARD</span>（被路由出去）三个链。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>nat</span><span
style='font-family:"Microsoft YaHei"'>表包含<span lang=EN-US>PREROUTING</span>（修改刚收到的数据包）
、<span lang=EN-US>OUTPUT</span>（在路由之前处理本机产生的数据包） 、<span lang=EN-US>POSTROUTING</span>（修改将要发送的数据包）三个链。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>mangle</span><span
style='font-family:"Microsoft YaHei"'>表包含<span lang=EN-US>PREROUTING</span>（路由之前，修改收到的包）
、<span lang=EN-US>OUTPUT</span>（路由之前，修改本机产生的包） 、<span lang=EN-US>INPUT</span>（修改发送到本机的包）
、<span lang=EN-US>FORWARD </span>（修改路由之后的包） 、<span lang=EN-US>POSTROUTING</span>（修改将被本机发送的包）五个链。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>Linux</span><span
style='font-family:"Microsoft YaHei"'>系统中的内置目标包括：<span lang=EN-US>ACCEPT</span>（允许数据包通过）<span
lang=EN-US> DROP</span>（丢弃数据包）<span lang=EN-US> QUEUE</span>（传递包到用户空间）<span
lang=EN-US> RETURN</span>（停止向后检测其他的规则，返回之前的条用规则处）</span></p>

<p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
style='font-family:"Microsoft YaHei"'>&nbsp;</span></b></p>

<p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
style='font-family:"Microsoft YaHei"'>2</span></b><b><span style='font-family:
"Microsoft YaHei"'>、选项列表</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>选项可以按组来区分</span></p>

<table class=MsoTableGrid border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>命令</span></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border:solid windowtext 1.0pt;
  border-left:none;background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>说明</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-t </span></b><u><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>table</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>指定要管理的表</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-A | --append </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>chain rule-specification</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>追加记录</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-D | --delete </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>chain rule-specification</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>删除记录</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-I | --insert </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>chain [rulenum] rule-specification</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>插入记录</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-R | --replace </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>chain [rulenum] rule-specification</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>替换记录</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-L | --list </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>[chain]</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>列出记录</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-S | --list-rules </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>[chain]</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>列出已选择链的所有规则。如果没有选择任何链，则所有链都打印</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-F | --flush </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>[chain]</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>删除指定的记录</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-Z | --zero <u>[chain [rulenum]]</u></span></b></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>将数据计数和字节计数清零</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-N | --new-chain </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>chain</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>用户自定义新链</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-X | --delete-chain </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>[chain]</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>删除用户自定义链</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-P</span></b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'> | <b>--policy </b><u>chain</u> <u>target</u></span></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>为指定的链设置策略</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-E</span></b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'> | <b>--rename-chain </b><u>old</u> <u>new</u></span></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>重命名链</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-h</span></b></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>显示帮助信息</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>参数</span></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>说明</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>[!] –p | --protocol </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>protocol</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>指定协议类型<span
  lang=EN-US>tcp</span>、<span lang=EN-US>udp</span>、<span lang=EN-US>icmp</span>、<span
  lang=EN-US>all</span>，协议前加！标识否定</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>[!] –s |  --source</span></b><span
  lang=EN-US style='font-family:"Microsoft YaHei"'> <u>address</u>[/mask][,…</span></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>源地址</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>[!] –d </span></b></p>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>--destination</span></b><span
  lang=EN-US style='font-family:"Microsoft YaHei"'> address[/mask][,…</span></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>目标</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-j | --jump</span></b></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>指定跳转的目标</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-g | --goto </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>chain</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>这指定应在用户指定的链中继续处理。与“<b><span
  lang=EN-US>--jump</span></b>”选项不同，返回将不再在此链中继续处理，而是在通过“<b><span lang=EN-US>--jump</span></b>”调用我们的链中继续处理。</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>[!] –i | --in-interface </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>name</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>接收数据包的接口名称<span
  lang=EN-US>(</span>仅用于输入、转发和<span lang=EN-US>PREROUTING</span>链的数据包<span
  lang=EN-US>)</span>。当<span lang=EN-US>“</span>！<span lang=EN-US>”</span>参数在接口名称之前使用，意义被倒置。如果接口名以<span
  lang=EN-US>“+”</span>结尾，则以此名称开头的任何接口都将匹配。如果省略此选项，则任何接口名称都将匹配。</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-o | --out-interface </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>name</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>指定数据包离开的网络接口</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>[!] –f | --fragment</span></b></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>这意味着该规则仅指分段数据包的第二段和更多的片段。</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-c | --set-counters </span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>packets</span></u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'> <u>bytes</u></span></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>这使管理员能够初始化规则的数据包和字节计数器<span
  lang=EN-US>(</span>在插入、追加、替换操作期间<span lang=EN-US>)</span>。</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>其他选项</span></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>说明</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-v | --verbose</span></b></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>冗长的输出，该选项使<span
  lang=EN-US>List</span>命令显示接口名称、规则选项<span lang=EN-US>(</span>如果有的话<span
  lang=EN-US>)</span>和<span lang=EN-US>TOS</span>掩码。还列出了数据包计数器和字节计数器</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-n | --numeric</span></b></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>数字输出<span
  lang=EN-US>IP</span>地址和端口号将以数字格式打印。默认情况下，程序将尝试将它们显示为主机名、网络名称或服务<span
  lang=EN-US>(</span>只要适用<span lang=EN-US>)</span>。</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>-x | --exact</span></b></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>扩大数字。显示数据包和字节计数器的确切值，而不是只显示<span
  lang=EN-US>K‘s(1000</span>倍<span lang=EN-US>)M’s(1000 K</span>倍数<span
  lang=EN-US>)</span>或<span lang=EN-US>G‘s(1000 m</span>倍数<span lang=EN-US>)</span>中的四舍五入数。此选项仅与<span
  lang=EN-US>-L</span>命令相关。</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>--line-numbers</span></b></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>当列出规则时，将行号添加到每条规则的开头，对应于该规则在链中的位置。</span></p>
  </td>
 </tr>
 <tr>
  <td width="28%" valign=top style='width:28.58%;border:solid windowtext 1.0pt;
  border-top:none;padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
  style='font-family:"Microsoft YaHei"'>--modprobe=</span></b><u><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>command</span></u></p>
  </td>
  <td width="71%" valign=top style='width:71.42%;border-top:none;border-left:
  none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
  padding:0cm 5.4pt 0cm 5.4pt'>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>在向链中添加或插入规则时，使用命令加载任何必要的模块<span
  lang=EN-US>(</span>目标、匹配扩展等<span lang=EN-US>)</span></span></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
style='font-family:"Microsoft YaHei"'>&nbsp;</span></b></p>

<p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
style='font-family:"Microsoft YaHei"'>3</span></b><b><span style='font-family:
"Microsoft YaHei"'>、匹配扩展</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>iptable</span><span
style='font-family:"Microsoft YaHei"'>可以使用扩展的数据包匹配模块。它们以两种方式加载：隐式地，当指定“<span
lang=EN-US>-p</span>”或“<span lang=EN-US>—protocol</span>”时，或者使用“<span
lang=EN-US>-m</span>”或“<span lang=EN-US>—match</span>”选项，后面跟着匹配的模块名称；之后，根据特定模块的不同，可以使用各种额外的命令行选项。可以在一行中指定多个扩展匹配模块，并且可以在指定模块后使用“<span
lang=EN-US>-h</span>“或“<span lang=EN-US>--help</span>“选项来接收特定于该模块的帮助。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>1</span><span
style='font-family:"Microsoft YaHei"'>）<span lang=EN-US>addrtype</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块根据数据包的地址类型匹配数据包。地址类型在内核网络堆栈中使用，并将地址分类为不同的组。该组的确切定义取决于特定的第三层协议。地址类型可以是以下的几种：</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>UNSPEC</span></b><span
style='font-family:"Microsoft YaHei"'>，未指明的地址，例如，<span lang=EN-US>0.0.0.0</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>UNICAST</span></b><span
style='font-family:"Microsoft YaHei"'>，单播地址。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>LOCAL</span></b><span
style='font-family:"Microsoft YaHei"'>，本地地址。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>BROADCAST</span></b><span
style='font-family:"Microsoft YaHei"'>，广播地址。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>ANYCAST</span></b><span
style='font-family:"Microsoft YaHei"'>，选播包。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>MULTICAST</span></b><span
style='font-family:"Microsoft YaHei"'>，多播地址。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>BLACKHOLE</span></b><span
style='font-family:"Microsoft YaHei"'>，黑洞地址。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>UNREACHABLE</span></b><span
style='font-family:"Microsoft YaHei"'>，不可达到的地址。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>PROHIBIT</span></b><span
style='font-family:"Microsoft YaHei"'>，被禁止的地址。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>THROW</span></b><span
style='font-family:"Microsoft YaHei"'>，<span lang=EN-US>FIXME</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>NAT</span></b><span
style='font-family:"Microsoft YaHei"'>，<span lang=EN-US>FIXME</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>XRESOLVE</span></b><span
style='font-family:"Microsoft YaHei"'>，</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --src-type type</span></b><span
style='font-family:"Microsoft YaHei"'>，如果源地址为给定类型，则匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --dst-type type</span></b><span
style='font-family:"Microsoft YaHei"'>，如果目标地址是给定类型的，则匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--limit-iface-in</span></b><span
style='font-family:"Microsoft YaHei"'>，地址类型检查可以限制在数据包即将进入的接口上。此选项仅在<span
lang=EN-US>PREROUTING</span>、<span lang=EN-US>INPUT</span>和<span lang=EN-US>FORWARD</span>链中有效。它不能用“<span
lang=EN-US>--limit-iface-out </span>“选项来指定。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--limit-iface-out</span></b><span
style='font-family:"Microsoft YaHei"'>，地址类型检查可以限制在包将要输出的接口上。此选项仅在<span
lang=EN-US>POSTROUTING</span>、<span lang=EN-US>OUTPUT</span>和<span lang=EN-US>FORWARD</span>链中有效。它不能用“<span
lang=EN-US>--limit-iface-in</span>“选项指定。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>2</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>ah</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块与<span lang=EN-US>IPSec</span>数据包的身份验证头中的<span
lang=EN-US>Spis</span>匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ahspi spi[:spi]</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>3</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>cluster</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>允许您部署网关和后端负载共享集群，而不需要负载平衡器。此匹配要求所有节点都看到相同的数据包。因此，集群匹配决定该节点是否必须处理给定以下选项的数据包。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--cluster-total-nodes</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>num</u></span><span
style='font-family:"Microsoft YaHei"'>，设置集群中的总节点数。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --cluster-local-node</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>num</u></span><span
style='font-family:"Microsoft YaHei"'>，设置本地节点编号<span lang=EN-US>ID</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --cluster-local-nodemask</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>mask</u></span><span
style='font-family:"Microsoft YaHei"'>，设置本地节点编号<span lang=EN-US>ID</span>掩码。您可以使用此选项而不是<span
lang=EN-US>”<b>--cluster-local-node</b>“</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--cluster-hash-seed</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u></span><span
style='font-family:"Microsoft YaHei"'>，设置<span lang=EN-US>Jenkins</span>散列的种子值。</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=836 valign=top style='width:836.15pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables  -A 
  PREROUTING  -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-node 
  1  --cluster-hash-seed  0xdeadbeef  -j  MARK  --set-mark 0xffff</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables  -A 
  PREROUTING  -t mangle -i eth2 -m cluster --cluster-total-nodes 2 --cluster-local-node 
  1  --cluster-hash-seed  0xdeadbeef  -j  MARK  --set-mark 0xffff</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -A
  PREROUTING -t mangle -i eth1 -m mark ! --mark 0xffff -j DROP</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -A
  PREROUTING -t mangle -i eth2 -m mark ! --mark 0xffff -j DROP</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>下面的命令使所有节点都看到相同的数据包</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=836 valign=top style='width:836.15pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ip maddr add
  01:00:5e:00:01:01 dev eth1</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ip maddr add
  01:00:5e:00:01:02 dev eth2</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>arptables   -A  
  OUTPUT   -o   eth1  --h-length  6  -j  mangle  --mangle-mac-s 01:00:5e:00:01:01</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>arptables -A
  INPUT -i eth1 --h-length 6 --destination-mac 01:00:5e:00:01:01 –j mangle
  --mangle-mac-d 00:zz:yy:xx:5a:27</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>arptables   -A  
  OUTPUT   -o   eth2  --h-length  6  -j  mangle  --mangle-mac-s 01:00:5e:00:01:02</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>arptables -A
  INPUT -i eth2 --h-length 6 --destination-mac 01:00:5e:00:01:02 –j mangle
  --mangle-mac-d 00:zz:yy:xx:5a:27</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>4</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>comment</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>允许向任何规则添加注释<span lang=EN-US>(</span>最多<span
lang=EN-US>256</span>个字符<span lang=EN-US>)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--comment</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>comment</u></span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=836 valign=top style='width:836.15pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -A INPUT
  -s 192.168.0.0/16 -m  comment  --comment  &quot;A  privatized  IP block&quot;</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>5</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>connbytes</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>主要用途是检测长时间下载，并在流量控制中使用较低优先级的频带来标记它们。每个连接传输的字节也可以通过<span
lang=EN-US>“conntrack -L”</span>查看，并通过<span lang=EN-US>ctnetlink</span>访问。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --connbytes</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>from</u>[:to]</span><span
style='font-family:"Microsoft YaHei"'>，将大于<span lang=EN-US>FROM</span>，小于<span
lang=EN-US>TO</span>的连接中的数据包匹配，<span lang=EN-US>“</span>！<span lang=EN-US>”</span>用于匹配不在此范围内的数据包。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--connbytes-dir
{original|reply|both}</span></b><b><span style='font-family:"Microsoft YaHei"'>，</span></b><span
style='font-family:"Microsoft YaHei"'>要考虑哪些数据包</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--connbytes-mode
{packets|bytes|avgpkt}</span></b><b><span style='font-family:"Microsoft YaHei"'>，</span></b><span
style='font-family:"Microsoft YaHei"'>是否检查数据包的数量、传输的字节数或到目前为止收到的所有数据包的平均大小<span
lang=EN-US>(</span>以字节为单位<span lang=EN-US>)</span>。请注意，当<span lang=EN-US>“both”</span>与<span
lang=EN-US>“avgpkt”</span>一起使用时，而且数据<span lang=EN-US>(</span>主要是<span
lang=EN-US>)</span>只朝一个方向<span lang=EN-US>(</span>例如<span lang=EN-US>HTTP)</span>进行，平均数据包大小将约为实际数据包的一半。</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=836 valign=top style='width:836.15pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables   .. 
  -m  connbytes  --connbytes  10000:100000  --connbytes-dir  both --connbytes-mode
  bytes</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>6</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>connlimit</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>允许您限制每个客户端<span lang=EN-US>IP</span>地址<span
lang=EN-US>(</span>或客户地址块<span lang=EN-US>)</span>到服务器的并行连接数。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --connlimit-above</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>n</u></span><span
style='font-family:"Microsoft YaHei"'>，如果现有连接的数目大于<span lang=EN-US>n</span>，则匹配</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--connlimit-mask</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>prefix_length</u></span><span
style='font-family:"Microsoft YaHei"'>，使用前缀长度对主机进行分组。对于<span lang=EN-US>IPv 4</span>，这必须是介于<span
lang=EN-US>(</span>包括<span lang=EN-US>)0</span>和<span lang=EN-US>32</span>之间的数字。对于<span
lang=EN-US>IPv 6</span>，在<span lang=EN-US>0</span>到<span lang=EN-US>128</span>之间。</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=836 valign=top style='width:836.15pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>#</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>每个客户端主机允许</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>2</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>个</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>telnet</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>连接</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -A INPUT
  -p tcp --syn --dport 23 -m connlimit --connlimit-above 2  -j REJECT</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables  -A 
  INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>#</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>将并行</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>HTTP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>请求的数量限制在每</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>C</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>类网络</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>16</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>次</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>(24</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>位网络掩码</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>)</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables  -p 
  tcp  --syn  --dport  80  -m   connlimit   --connlimit-above   16 --connlimit-mask
  24 -j REJECT</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>#</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>将链路本地网络的并行</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>HTTP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>请求限制为</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>16</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>次</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>(ipv6)  
  ip6tables   -p  tcp  --syn  --dport  80  -s  fe80::/64  -m  connlimit --connlimit-above
  16 --connlimit-mask 64 -j REJECT</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>7</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>connmark</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块匹配与连接关联的<span lang=EN-US>netfilter</span>标记字段<span
lang=EN-US>(</span>可以使用下面的<span lang=EN-US>CONNMARK</span>目标进行设置<span
lang=EN-US>)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，将连接中的数据包与给定的标记值相匹配<span lang=EN-US>(</span>如果指定了掩码，则在比较之前用标记进行逻辑分析<span
lang=EN-US>)</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>8</span></b><b><span
style='font-family:"Microsoft YaHei"'>）<span lang=EN-US>conntrack</span></span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块与连接跟踪结合时，允许访问此数据包<span lang=EN-US>/</span>连接的连接跟踪状态。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ctstate</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>statelist</u></span><span
style='font-family:"Microsoft YaHei"'>，<span lang=EN-US>Statelist</span>是要匹配的连接状态的逗号分隔列表。下面列出了可能的状态。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ctproto</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>l4proto</u></span><span
style='font-family:"Microsoft YaHei"'>，第<span lang=EN-US>4</span>层协议匹配<span
lang=EN-US>(</span>按号码或名称<span lang=EN-US>)</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ctorigsrc</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>address</u>[/<u>mask</u>]</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ctorigdst</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>address</u>[/<u>mask</u>]</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ctreplsrc</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>address</u>[/<u>mask</u>]</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ctrepldst</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>address</u>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，与<span lang=EN-US>original/reply</span>、<span
lang=EN-US>source/destination</span>地址匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ctorigsrcport</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>port</u></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ctorigdstport</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>port</u></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ctreplsrcport</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>port</u></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ctrepldstport</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>port</u></span><span
style='font-family:"Microsoft YaHei"'>，匹配<span lang=EN-US>original/reply</span>、<span
lang=EN-US>source/destination</span>端口<span lang=EN-US>(TCP/UDP/</span>等<span
lang=EN-US>)</span>或<span lang=EN-US>GRE</span>键</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[<b>!] --ctstatus</b> <u>statelis</u></span><span
style='font-family:"Microsoft YaHei"'>，<span lang=EN-US>Statuslist</span>是要匹配的连接状态的逗号分隔列表。下面列出了可能的状态</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ctexpire</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>time</u>[:<u>time</u>]</span><span
style='font-family:"Microsoft YaHei"'>，将剩余生存期<span lang=EN-US>(</span>以秒为单位<span
lang=EN-US>)</span>与给定值或范围<span lang=EN-US>(</span>包括<span lang=EN-US>)</span>进行匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--ctdir {ORIGINAL|REPLY}</span></b><span
style='font-family:"Microsoft YaHei"'>，匹配按指定方向流动的数据包。如果根本没有指定此标志，则匹配两个方向的数据包。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>ctstate</span><span
style='font-family:"Microsoft YaHei"'>的有效值</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>INVALID</span></b><span
style='font-family:"Microsoft YaHei"'>，意味着数据包与已知的连接没有关联。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>NEW</span></b><span
style='font-family:"Microsoft YaHei"'>，意味着该数据包已启动一个新连接，或与未在两个方向上看到数据包的连接相关联。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>ESTABLISHED</span></b><span
style='font-family:"Microsoft YaHei"'>，意味着该数据包与看到两个方向的数据包的连接相关联。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>RELATED</span></b><span
style='font-family:"Microsoft YaHei"'>，意味着数据包正在启动新连接，但与现有连接相关联，例如<span
lang=EN-US>FTP</span>数据传输或<span lang=EN-US>ICMP</span>错误。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>SNAT</span></b><span
style='font-family:"Microsoft YaHei"'>，虚拟状态，如果原始源地址与回复目的地不同，则进行匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>DNAT</span></b><span
style='font-family:"Microsoft YaHei"'>，虚拟状态，如果原始目的地与应答源不同，则进行匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>ctstatus</span><span
style='font-family:"Microsoft YaHei"'>的有效值</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>NONE</span></b><span
style='font-family:"Microsoft YaHei"'>，不是下列任何一项。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>EXPECTED</span></b><span
style='font-family:"Microsoft YaHei"'>，这是一个预期的连接。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>SEEN_REPLY</span></b><span
style='font-family:"Microsoft YaHei"'>，<span lang=EN-US>ConnTrack</span>在两个方向都看到了数据包。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>ASSURED</span></b><span
style='font-family:"Microsoft YaHei"'>，连接项不应提前过期。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>CONFIRMED</span></b><span
style='font-family:"Microsoft YaHei"'>，确认连接：原始数据包已离开框。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>9</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>dccp</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --source-port</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>,<b>--sport</b> <u>port</u>[:<u>port</u>]</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --destination-port,--dport</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>port</u>[:<u>port</u>]</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --dccp-types</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>mask</u></span><span
style='font-family:"Microsoft YaHei"'>，当<span lang=EN-US>DCCP</span>数据包类型为<span
lang=EN-US>“</span>掩码<span lang=EN-US>”</span>之一时匹配。<span lang=EN-US>“</span>掩码<span
lang=EN-US>”</span>是以逗号分隔的数据包类型列表。类型可以是：<b><span lang=EN-US>REQUEST</span>、<span
lang=EN-US>RESPONSE</span>、<span lang=EN-US>DATA</span>、<span lang=EN-US>ACK</span>、<span
lang=EN-US>DATAACK</span>、<span lang=EN-US>CLOSEREQ</span>、<span lang=EN-US>CLOSE</span>、<span
lang=EN-US>RESET</span>、<span lang=EN-US>SYNC</span>、<span lang=EN-US>SYNCACK</span>、<span
lang=EN-US>INVALID</span></b>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --dccp-option</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>number</u></span><span
style='font-family:"Microsoft YaHei"'>，匹配如果设置<span lang=EN-US>DCP</span>选项 </span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>10</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>dscp</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块与<span lang=EN-US>IP</span>报头中<span
lang=EN-US>TOS</span>字段中的<span lang=EN-US>6</span>位<span lang=EN-US>DSCP</span>字段匹配。<span
lang=EN-US>Dscp</span>已经取代了<span lang=EN-US>IETF</span>中的<span lang=EN-US>TOS</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --dscp</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u></span><span
style='font-family:"Microsoft YaHei"'>，匹配数值<span lang=EN-US>(</span>十进制或十六进制<span
lang=EN-US>)</span>值<span lang=EN-US>[0-63]</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --dscp-class</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>class</u></span><span
style='font-family:"Microsoft YaHei"'>，匹配<span lang=EN-US>DiffServ</span>类。此值可能是<span
lang=EN-US>BE</span>、<span lang=EN-US>EF</span>、<span lang=EN-US>AFxx</span>或<span
lang=EN-US>CSX</span>类中的任何一个。然后，它将被转换为其相应的数值。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>11</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>ecn</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>这允许您匹配<span lang=EN-US>IPv 4</span>和<span
lang=EN-US>TCP</span>报头的<span lang=EN-US>ECN</span>位。<span lang=EN-US>ECN</span>是<span
lang=EN-US>RFC3168</span>中指定的显式拥塞通知机制。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ecn-tcp-cwr</span></b><span
style='font-family:"Microsoft YaHei"'>，如果设置了<span lang=EN-US>TCP ECN CWR(</span>拥塞窗口接收<span
lang=EN-US>)</span>位，则匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[<b>!] --ecn-tcp-ece</b></span><span
style='font-family:"Microsoft YaHei"'>，如果设置了<span lang=EN-US>TCP ECN ECE(ECN
Echo)</span>位，则匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ecn-ip-ect num</span></b><span
style='font-family:"Microsoft YaHei"'>，这与特定的<span lang=EN-US>IPv 4 ECT(ECN</span>能力传输<span
lang=EN-US>)</span>相匹配。你必须在<span lang=EN-US>‘0’</span>和<span lang=EN-US>‘3’</span>之间指定一个数字。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>12</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>esp</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块与<span lang=EN-US>ipsec</span>数据包的<span
lang=EN-US>esp</span>报头中的<span lang=EN-US>spis</span>匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --espspi</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>spi</u>[:<u>spi</u>]</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>13</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>hashlimit</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>哈希限制使用散列桶来表示一组连接的速率限制匹配<span lang=EN-US>(</span>如极限匹配<span
lang=EN-US>)</span>，使用单个<span lang=EN-US>iptables</span>规则。分组可以完成<span
lang=EN-US>perhostgroup(</span>源和<span lang=EN-US>/</span>或目标地址<span
lang=EN-US>)</span>和<span lang=EN-US>/</span>或每个端口。它使您能够表达<span lang=EN-US>“</span>每组每个时间量子<span
lang=EN-US>N</span>个数据包<span lang=EN-US>”</span>：</span></p>

<p class=MsoNormal style='text-indent:21.0pt'><span style='font-family:"Microsoft YaHei"'>源主机上的匹配：<span
lang=EN-US>192.168.0.0/16</span>期间每台主机每秒<span lang=EN-US>1000</span>个数据包。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>源<span lang=EN-US>Prot</span>匹配：每项服务每秒<span
lang=EN-US>100</span>包<span lang=EN-US>(192.168.1.1)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>子网的匹配：<span lang=EN-US>10.0.0.0/8</span>中每个<span
lang=EN-US>/28</span>子网每分钟<span lang=EN-US>10000</span>包。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--hashlimit-upto</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>amount</u>[/second|/minute|/hour|/day]</span><span
style='font-family:"Microsoft YaHei"'>，如果速率低于或等于<span lang=EN-US>amount/quantum</span>，则匹配。它被指定为一个数字，带有可选的时间量子后缀；默认值是<span
lang=EN-US>3/</span>小时。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--hashlimit-above</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>amount</u>[/second|/minute|/hour|/day]</span><span
style='font-family:"Microsoft YaHei"'>，如果速率大于<span lang=EN-US>amount/quantum</span>，则匹配</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--hashlimit-burst</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>amount</u></span><span
style='font-family:"Microsoft YaHei"'>，要匹配的数据包的最大初始数量：当未达到上述指定的限制时，该数目将被重新充电一次，最多可达到此数目；默认值为<span
lang=EN-US>5</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--hashlimit-mode
{srcip|srcport|dstip|dstport},...</span></b><span style='font-family:"Microsoft YaHei"'>，要考虑的以逗号分隔的对象列表。如果给出了“<span
lang=EN-US>-<b>-hash-limit-mode</b></span>“选项，<b><span lang=EN-US>hashlimit</span></b>就像<b><span
lang=EN-US>limit</span></b>一样，但是在进行哈希内务管理时会花费很大的代价。</span></p>

<p class=MsoNormal style='text-indent:21.0pt'><b><span lang=EN-US
style='font-family:"Microsoft YaHei"'>--hashlimit-srcmask</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>prefix</u></span><span
style='font-family:"Microsoft YaHei"'>，当使用“<b><span lang=EN-US>--hashlimit-mode</span></b>“时，所遇到的所有源地址都将根据给定的前缀长度进行分组，因此创建的子网将受到哈希限制。前缀必须介于<span
lang=EN-US>(</span>包括<span lang=EN-US>)0</span>和<span lang=EN-US>32</span>之间。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--hashlimit-dstmask </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>prefix</span></u><span
style='font-family:"Microsoft YaHei"'>，类似“<b><span lang=EN-US>--hashlimit-srcmask</span></b>“，但是对于目标地址。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--hashlimit-name</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>foo</u></span><span
style='font-family:"Microsoft YaHei"'>，“<span lang=EN-US>/proc/net/ipt_hashlimit/foo</span>“条目的名称。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--hashlimit-htable-size</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>buckets</u></span><span
style='font-family:"Microsoft YaHei"'>，哈希表的桶数。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--hashlimit-htable-max </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>entries</span></u><span
style='font-family:"Microsoft YaHei"'>，散列中的最大项。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--hashlimit-htable-expire </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>msec</span></u><span
style='font-family:"Microsoft YaHei"'>，在散列条目过期多少毫秒之后。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--hashlimit-htable-gcinterval</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>msec</u></span><span
style='font-family:"Microsoft YaHei"'>，垃圾收集间隔之间有多少毫秒。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>14</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>helper</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块匹配与特定连接辅助程序相关的数据包。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --helper</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>string</u></span><span
style='font-family:"Microsoft YaHei"'>，匹配与指定的连接辅助程序相关的数据包。对于默认端口上与<span
lang=EN-US>ftp</span>会话相关的数据包，字符串可以是<span lang=EN-US>“ftp”</span>。对于其他端口，将<span
lang=EN-US>-portnr</span>附加到值，即。<span lang=EN-US>“ftp-2121”</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>15</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>icmp</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>如果指定了<span lang=EN-US>“<b>--protocol icmp</b>”</span>，则可以使用此扩展。它提供了以下选项</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --icmp-type</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> {type[/code]|typename}</span><span
style='font-family:"Microsoft YaHei"'>，这允许指定<span lang=EN-US>icmp</span>类型，它可以是数值<span
lang=EN-US>icmp</span>类型、类型<span lang=EN-US>/</span>代码对，也可以是命令显示的<span
lang=EN-US>icmp</span>类型名称之一。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>16</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>iprange</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>这与给定的任意范围的<span lang=EN-US>ip</span>地址匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --src-range</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>from</u>[-to]</span><span
style='font-family:"Microsoft YaHei"'>，匹配指定范围内的源<span lang=EN-US>IP</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --dst-range</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>from</u>[-to]</span><span
style='font-family:"Microsoft YaHei"'>，匹配指定范围内的目标<span lang=EN-US>IP</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>17</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>length</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块将数据包的第<span lang=EN-US>3</span>层有效载荷<span
lang=EN-US>(</span>例如第<span lang=EN-US>4</span>层包<span lang=EN-US>)</span>的长度与特定值或范围相匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --length</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>length</u>[:<u>length</u>]</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>18</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>limit</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块使用令牌桶过滤器以有限的速度匹配。使用此扩展的规则将匹配，直到达到此限制<span
lang=EN-US>(</span>除非<span lang=EN-US>“</span>！<span lang=EN-US>”</span>使用标志<span
lang=EN-US>)</span>。它可以与日志目标结合使用，提供有限的日志记录。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--limit</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>rate</u>[/second|/minute|/hour|/day]</span><span
style='font-family:"Microsoft YaHei"'>，最大平均匹配率：指定为数字，带有可选的<span lang=EN-US>‘/</span>秒<span
lang=EN-US>’</span>、<span lang=EN-US>‘/</span>分钟<span lang=EN-US>’</span>、<span
lang=EN-US>‘/</span>小时<span lang=EN-US>’</span>或<span lang=EN-US>‘/</span>日<span
lang=EN-US>’</span>后缀；默认值为<span lang=EN-US>3/</span>小时</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--limit-burst</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>number</u></span><span
style='font-family:"Microsoft YaHei"'>，要匹配的数据包的最大初始数量：当未达到上述指定的限制时，此数字将被重新充电一次，最多可达到此数目；默认值为<span
lang=EN-US>5</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>19</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>mac</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --mac-source</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>address</u></span><span
style='font-family:"Microsoft YaHei"'>，匹配源<span lang=EN-US>MAC</span>地址。它必须是<span
lang=EN-US>XX:XX:XX:XX:XX:XX</span>格式。请注意，这只对来自以太网设备并进入<span lang=EN-US>PREROUTING</span>、<span
lang=EN-US>FORWARD</span>或<span lang=EN-US>INPUT</span>链的数据包有意义。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>20</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>mark</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块匹配与数据包关联的<span lang=EN-US>netfilter</span>标记字段<span
lang=EN-US>(</span>可以使用下面的标记目标设置该标记<span lang=EN-US>)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，将数据包与给定的无符号标记值匹配<span lang=EN-US>(</span>如果指定了掩码，则在进行比较之前，该掩码将与掩码进行逻辑连接<span
lang=EN-US>)</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>21</span><span
style='font-family:"Microsoft YaHei"'>）<span lang=EN-US>multiport</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块匹配一组源端口或目标端口。最多可指定<span lang=EN-US>15</span>个端口。端口范围<span
lang=EN-US>(</span>端口：端口<span lang=EN-US>)</span>算作两个端口。它只能与“<b><span
lang=EN-US>-p tcp</span></b>“或”<b><span lang=EN-US>-p udp</span></b>“一起使用。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --source-ports</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>,<b>--sports</b> <u>port</u>[,<u>port</u>|,<u>port</u>:<u>port</u>]...</span><span
style='font-family:"Microsoft YaHei"'>，如果源端口是给定端口之一，则匹配。旗杆运动是这个选项的方便别名。多个端口或端口范围使用逗号分隔，端口范围使用冒号指定。因此，<span
lang=EN-US>53</span>，<span lang=EN-US>1024</span>：<span lang=EN-US>65535</span>将匹配端口<span
lang=EN-US>53</span>，所有端口都是从<span lang=EN-US>1024</span>到<span lang=EN-US>65535</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[<b>!] --destination-ports</b>,<b>--dports</b>
<u>port</u>[,<u>port</u>|,<u>port</u>:<u>port</u>]..</span><span
style='font-family:"Microsoft YaHei"'>，如果目标端口是给定端口之一，则匹配。标志<span lang=EN-US>--dports</span>是此选项的方便别名。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --ports</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>port</u>[,<u>port</u>|,<u>port</u>:<u>port</u>]...</span><span
style='font-family:"Microsoft YaHei"'>，如果源端口或目标端口等于给定端口之一，则匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>22</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>owner</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>对于本地生成的数据包，此模块试图匹配数据包创建者的各种特征。此匹配仅在<span
lang=EN-US>OUTPUT</span>链和<span lang=EN-US>POSTROUTING</span>链中有效。转发的数据包没有任何与其相关联的套接字。来自内核线程的数据包确实有一个套接字，但通常没有所有者。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --uid-owner</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>username</u></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --uid-owner</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>userid</u>[-<u>userid</u>]</span><span
style='font-family:"Microsoft YaHei"'>，如果数据包套接字的文件结构<span lang=EN-US>(</span>如果有<span
lang=EN-US>)</span>是给定用户拥有的，则匹配。您还可以指定数字<span lang=EN-US>UID</span>或<span
lang=EN-US>UID</span>范围。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --gid-owner</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>groupname</u></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --gid-owner</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>groupid</u>[-<u>groupid</u>]</span><span
style='font-family:"Microsoft YaHei"'>，如果数据包套接字的文件结构属于给定组，则匹配。您还可以指定数字<span
lang=EN-US>GID</span>或<span lang=EN-US>GID</span>范围。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --socket-exists</span></b><span
style='font-family:"Microsoft YaHei"'>，如果数据包与套接字相关联，则匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>23</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>physdev</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>该模块在桥端口输入和输出设备上匹配，这些输入和输出设备被奴役到桥接设备上。此模块是支持透明桥接<span
lang=EN-US>IP</span>防火墙的基础结构的一部分，仅适用于<span lang=EN-US>2.5.44</span>版本以上的内核版本。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --physdev-in</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>name</u></span><span
style='font-family:"Microsoft YaHei"'>，接收数据包的桥端口的名称<span lang=EN-US>(</span>仅用于<span
lang=EN-US>INPUT</span>、<span lang=EN-US>FORWARD</span>和<span lang=EN-US>PREROUTING</span>链的数据包<span
lang=EN-US>)</span>。如果接口名以“<span lang=EN-US>+“</span>结尾，则以此名称开头的任何接口都将匹配。如果数据包没有通过桥接设备到达，则此数据包将与此选项不匹配，除非<span
lang=EN-US>“</span>！<span lang=EN-US>”</span>被利用了。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --physdev-out</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>name</u></span><span
style='font-family:"Microsoft YaHei"'>，要发送数据包的桥接端口的名称<span lang=EN-US>(</span>用于<span
lang=EN-US>FORWARD</span>、<span lang=EN-US>OUTPUT</span>和<span lang=EN-US>POSTROUTING</span>链的数据包<span
lang=EN-US>)</span>。如果接口名以“<span lang=EN-US>+“</span>结尾，则以此名称开头的任何接口都将匹配。注意，在<span
lang=EN-US>NAT</span>和<span lang=EN-US>Magle</span>输出链中，不能在桥输出端口上匹配，但是在过滤器输出链中可以匹配。如果数据包不会由网桥设备离开，或者如果它还不知道输出设备将是什么，那么该数据包将与此选项不匹配，除非<span
lang=EN-US>‘</span>！<span lang=EN-US>’</span>使用。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --physdev-is-in</span></b><span
style='font-family:"Microsoft YaHei"'>，如果数据包已通过网桥接口输入，则匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --physdev-is-out</span></b><span
style='font-family:"Microsoft YaHei"'>，如果数据包将通过网桥接口离开，则匹配。。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --physdev-is-bridged</span></b><span
style='font-family:"Microsoft YaHei"'>，如果数据包正在桥接，因此不被路由，则匹配。这仅在<span
lang=EN-US>FORWARD</span>链和<span lang=EN-US>POSTROUTING</span>链中有用。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>24</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>pkttype</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块与链路层数据包类型匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --pkt-type
{unicast|broadcast|multicast}</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>25</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>policy</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块与<span lang=EN-US>IPsec</span>用于处理数据包的策略相匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--dir</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <b>{in|out}</b></span><span
style='font-family:"Microsoft YaHei"'>，用于选择是否匹配用于解除封装的策略或将用于封装的策略。<span
lang=EN-US>in</span>在<span lang=EN-US>PREROUTING</span>、<span lang=EN-US>INPUT</span>、<span
lang=EN-US>FORWARD</span>链中有效，<span lang=EN-US>out</span>在<span lang=EN-US>POSTROUTING</span>、<span
lang=EN-US>OUTPUT</span>、<span lang=EN-US>FORWARD</span>链中有效。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--pol {none|ipsec}</span></b><span
style='font-family:"Microsoft YaHei"'>，如果数据包要接受<span lang=EN-US>ipsec</span>处理，则匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--strict</span></b><span
style='font-family:"Microsoft YaHei"'>，选择是否匹配确切的策略，或者如果策略的任何规则与给定的策略匹配，则选择匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --reqid</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> id</span><span
style='font-family:"Microsoft YaHei"'>，匹配策略规则的<span lang=EN-US>reqid</span>。可以使用<span
lang=EN-US>setkey(8)</span>指定<span lang=EN-US>REQID</span>，使用<span lang=EN-US>unique:id</span>作为级别。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --spi </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>spi</span></u><span
style='font-family:"Microsoft YaHei"'>，匹配<span lang=EN-US>SA</span>的<span
lang=EN-US>SPI</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --proto {ah|esp|ipcomp}</span></b><span
style='font-family:"Microsoft YaHei"'>，匹配封装协议。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --mode {tunnel|transport}</span></b><span
style='font-family:"Microsoft YaHei"'>，匹配封装模式。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --tunnel-src</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>addr</u>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，匹配隧道模式<span lang=EN-US>sa</span>的源端点地址。只有和“<b><span
lang=EN-US>--mode tunnel</span></b>“一起使用有效。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --tunnel-dst</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>addr</u>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，匹配隧道模式<span lang=EN-US>sa</span>的目标端点地址。只有和“<b><span
lang=EN-US>--mode tunnel</span></b>“一起使用有效。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--next</span></b><span
style='font-family:"Microsoft YaHei"'>，启动策略规范中的下一个元素，只有和“<b><span lang=EN-US>--strict.</span></b>“一起使用有效。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>26</span><span
style='font-family:"Microsoft YaHei"'>）<span lang=EN-US>quota</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>通过减少每个数据包的字节计数器来实现网络配额。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--quota</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>bytes</u></span><span
style='font-family:"Microsoft YaHei"'>，配额<span lang=EN-US>(</span>以字节为单位<span
lang=EN-US>)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>27</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>rateest</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>该速率估计器可以与<span lang=EN-US>RATEEST</span>目标收集的估计费率相匹配。它支持绝对<span
lang=EN-US>bps/pps</span>值匹配，比较两种速率估计量，并匹配两种速率估计量之间的差异。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--rateest1</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>name</u></span><span
style='font-family:"Microsoft YaHei"'>，第一比率估计器的名称。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--rateest2</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>name</u></span><span
style='font-family:"Microsoft YaHei"'>，第二比率估计器的名称。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--rateest-delta</span></b><span
style='font-family:"Microsoft YaHei"'>，将差异与给定的比率进行比较</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--rateest1-bps</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u></span><span
style='font-family:"Microsoft YaHei"'>，</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--rateest2-bps</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u></span><span
style='font-family:"Microsoft YaHei"'>，每秒比较字节</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--rateest1-pps</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u></span><span
style='font-family:"Microsoft YaHei"'>，</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--rateest2-pps</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u></span><span
style='font-family:"Microsoft YaHei"'>，每秒比较包</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --rateest-lt</span></b><span
style='font-family:"Microsoft YaHei"'>，如果速率小于给定的速率<span lang=EN-US>/</span>估计量，则匹配</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --rateest-gt</span></b><span
style='font-family:"Microsoft YaHei"'>，如果速率大于给定的速率<span lang=EN-US>/</span>估计量，则匹配</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --rateest-eq</span></b><span
style='font-family:"Microsoft YaHei"'>，如果速率等于给定的速率<span lang=EN-US>/</span>估计量，则匹配</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=836 valign=top style='width:836.15pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>#</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>示例：在启动数据连接时，可以根据可用带宽从</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>FTP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>服务器通过两行路由传出数据连接：</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>#</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>估计出率</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables   -t  
  mangle   -A  POSTROUTING  -o  eth0  -j  RATEEST  --rateest-name  eth0 --rateest-interval
  250ms --rateest-ewma 0.5s</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables  -t 
  mangle  -A  POSTROUTING  -o  ppp0  -j   RATEEST   --rateest-name   ppp0 --rateest-interval
  250ms --rateest-ewma 0.5s</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>#</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>基于可用带宽的标记</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables  -t 
  mangle  -A balance -m conntrack --ctstate NEW -m helper --helper ftp –m rateest 
  --rateest-delta  --rateest1   eth0   --rateest-bps1   2.5mbit   --rateest-gt --rateest2
  ppp0 --rateest-bps2 2mbit -j CONNMARK --set-mark 1</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables  -t 
  mangle  -A balance -m conntrack --ctstate NEW -m helper --helper ftp –m rateest
  --rateest-delta --rateest1 ppp0 --rateest-bps1 2mbit --rateest-gt  --rateest2
  eth0 --rateest-bps2 2.5mbit -j CONNMARK --set-mark 2</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -t
  mangle -A balance -j CONNMARK --restore-mark</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>28</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>realm</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>这与路由领域匹配。路由域用于复杂的路由设置，涉及到诸如<span
lang=EN-US>BGP</span>这样的动态路由协议。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --realm</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，匹配给定的领域号<span lang=EN-US>(</span>可选掩码<span
lang=EN-US>)</span>。如果不是一个数字，则值可以是“<b><span lang=EN-US>/etc/iproute2/rt_realms</span></b>”中的命名域<span
lang=EN-US>(</span>在这种情况下不能使用掩码<span lang=EN-US>)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>29</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>recent</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>允许您动态创建<span lang=EN-US>IP</span>地址列表，然后以几种不同的方式与该列表进行匹配。例如，您可以创建一个<span
lang=EN-US>“</span>坏蛋<span lang=EN-US>”</span>列表，列出试图连接到防火墙上的端口<span
lang=EN-US>139</span>的人，然后在不考虑这些包的情况下丢弃它们的所有未来数据包。<b><span lang=EN-US>--set</span>、<span
lang=EN-US>--rcheck</span>、<span lang=EN-US>--update</span>、<span lang=EN-US>--remove</span></b>是相互排斥的。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--name</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>name</u></span><span
style='font-family:"Microsoft YaHei"'>，指定要用于命令的列表。如果没有指定名称，则将使用默认名称。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --set</span></b><span
style='font-family:"Microsoft YaHei"'>，他将把数据包的源地址添加到列表中。如果源地址已经在列表中，这将更新现有条目。这将永远返回成功<span
lang=EN-US>(</span>或失败，如果传入！<span lang=EN-US>)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--rsource</span></b><span
style='font-family:"Microsoft YaHei"'>，匹配<span lang=EN-US>/</span>保存最近列表中每个数据包的源地址。这是默认的</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--rdest</span></b><span
style='font-family:"Microsoft YaHei"'>，匹配<span lang=EN-US>/</span>保存最近列表中每个数据包的目标地址</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --rcheck</span></b><span
style='font-family:"Microsoft YaHei"'>，检查数据包的源地址是否当前在列表中。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --update</span></b><span
style='font-family:"Microsoft YaHei"'>，类似“<b><span lang=EN-US>--rcheck</span></b>”，但如果匹配，它将更新<span
lang=EN-US>“</span>最后一次看到<span lang=EN-US>”</span>时间戳。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --remove</span></b><span
style='font-family:"Microsoft YaHei"'>，检查数据包的源地址是否当前在列表中，如果是，该地址将从列表中删除，规则将返回<span
lang=EN-US>true</span>。如果找不到地址，则返回<span lang=EN-US>false</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--seconds</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>seconds</u></span><span
style='font-family:"Microsoft YaHei"'>，此选项必须与“<b><span lang=EN-US>--rcheck</span></b>”或“<b><span
lang=EN-US>--update</span></b>”之一结合使用<span lang=EN-US>.</span>使用时，这将缩小匹配范围，仅当地址在列表中并在最后给定的秒内被看到时才发生。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--hitcount</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>hits</u></span><span
style='font-family:"Microsoft YaHei"'>，此选项必须与“<b><span lang=EN-US>--rcheck</span></b>”或“<b><span
lang=EN-US>--update</span></b>”之一结合使用。使用时，这将缩小匹配范围，仅当地址在列表中且数据包已接收到大于或等于给定值时才发生。此选项可与<span
lang=EN-US>“<b>--seconds</b>”</span>一起使用，以创建一个更窄的匹配，需要在特定的时间范围内执行一定数量的命中。<span
lang=EN-US>HitCount</span>参数的最大值由<span lang=EN-US>xt_recent</span>内核模块的<span
lang=EN-US>“ip_pkt_list_tot”</span>参数给出。在命令行中超过此值将导致拒绝该规则。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--rttl</span></b><span
style='font-family:"Microsoft YaHei"'>，此选项只能与“<b><span lang=EN-US>--rcheck</span></b>”或“<b><span
lang=EN-US>--update</span></b>”中的一个一起使用。当使用时，这将缩小匹配范围，只有当地址在列表中，并且当前数据包的<span
lang=EN-US>ttl</span>与符合<span lang=EN-US>“<b>--set</b>”</span>规则的数据包匹配时才会发生匹配。这可能是有用的，如果你有问题的人伪造他们的源地址，以便通过这个模块拒绝其他人访问你的网站通过发送虚假的数据包给你。</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -A
  FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -A
  FORWARD -p tcp -i eth0 --dport 139 -m recent --name  badguy  --set -j DROP</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>“<span lang=EN-US>/proc/net/xt_new/*</span>”是关于每个列表中每个条目的地址和信息的当前列表。可以读取“<span
lang=EN-US>/proc/net/xt_new/</span>”中的每个文件来查看当前列表，或者使用以下命令编写两个文件来修改列表：</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>echo +addr
  &gt;/proc/net/xt_recent/DEFAULT</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>增加</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>addr</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>到默认的列表</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>echo -addr
  &gt;/proc/net/xt_recent/DEFAULT</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>将</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>addr</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>从默认列表删除</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>echo /
  &gt;/proc/net/xt_recent/DEFAULT</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>舒心默认列表</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>模块本身接受参数，默认显示如下：</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>ip_list_tot</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>=<u>100</u></span><span
style='font-family:"Microsoft YaHei"'>，每个表记住的地址数</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>ip_pkt_list_tot</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>=<u>20</u></span><span
style='font-family:"Microsoft YaHei"'>，记住的每个地址的数据包数</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>ip_list_hash_size</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>=<u>0</u></span><span
style='font-family:"Microsoft YaHei"'>，散列表大小。<span lang=EN-US>0</span>意味着根据<span
lang=EN-US>ip_list_tot(</span>默认值：<span lang=EN-US>512)</span>计算它。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>ip_list_perms</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>=<u>0644</u></span><span
style='font-family:"Microsoft YaHei"'>，“<span lang=EN-US>/proc/net/xt_recent/*</span>”的全新啊</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>ip_list_uid</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>=<u>0</u></span><span
style='font-family:"Microsoft YaHei"'>，“<span lang=EN-US>/proc/net/xt_recent/*</span>”的拥有者<span
lang=EN-US>ID</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>ip_list_gid</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>=<u>0</u></span><span
style='font-family:"Microsoft YaHei"'>，“<span lang=EN-US>/proc/net/xt_recent/*</span>”的拥有者组<span
lang=EN-US>ID</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>30</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>sctp</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --source-port,--sport</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>port</u>[:<u>port</u>]</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --destination-port,--dport
</span></b><u><span lang=EN-US style='font-family:"Microsoft YaHei"'>port</span></u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[:<u>port</u>]</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --chunk-types
{all|any|only} </span></b><u><span lang=EN-US style='font-family:"Microsoft YaHei"'>chunktype</span></u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[:<u>flags</u>] [...]</span><span
style='font-family:"Microsoft YaHei"'>，</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>大写中的标志字母表示如果设置将匹配标志，小写表示匹配<span
lang=EN-US>(</span>如果未设置<span lang=EN-US>)</span>。</span></p>

<p class=MsoNormal style='margin-left:21.0pt;text-indent:21.0pt;line-height:
200%'><span lang=EN-US style='font-family:"Microsoft YaHei"'>Chunk types: 
DATA  INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK
ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE  ECN_CWR  SHUTDOWN_COMPLETE ASCONF
ASCONF_ACK</span></p>

<p class=MsoNormal style='margin-left:21.0pt;text-indent:21.0pt;line-height:
200%'><span lang=EN-US style='font-family:"Microsoft YaHei"'>chunk type</span><span
style='font-family:"Microsoft YaHei"'>：<span lang=EN-US>available flags</span></span></p>

<p class=MsoNormal style='margin-left:21.0pt;text-indent:21.0pt;line-height:
200%'><span lang=EN-US style='font-family:"Microsoft YaHei"'>DATA</span><span
style='font-family:"Microsoft YaHei"'>：<span lang=EN-US>U B E u b e</span></span></p>

<p class=MsoNormal style='margin-left:21.0pt;text-indent:21.0pt;line-height:
200%'><span lang=EN-US style='font-family:"Microsoft YaHei"'>ABORT</span><span
style='font-family:"Microsoft YaHei"'>：<span lang=EN-US>T t</span></span></p>

<p class=MsoNormal style='margin-left:21.0pt;text-indent:21.0pt;line-height:
200%'><span lang=EN-US style='font-family:"Microsoft YaHei"'>SHUTDOWN_COMPLETE</span><span
style='font-family:"Microsoft YaHei"'>：<span lang=EN-US>T t</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>例子</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -A INPUT
  -p sctp --dport 80 -j DROP</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -A INPUT
  -p sctp --chunk-types any DATA,INIT -j DROP</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -A INPUT
  -p sctp --chunk-types any DATA:Be -j ACCEPT</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>31</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>set</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>该模块匹配可由<span lang=EN-US>ipset(8)</span>定义的<span
lang=EN-US>IP</span>集。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --match-set</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>setname</u> <u>flag</u>[,<u>flag</u>]..</span><span
style='font-family:"Microsoft YaHei"'>，其中<span lang=EN-US>flag</span>是用逗号分隔的<span
lang=EN-US>src</span>或<span lang=EN-US>dst</span>规范的列表，其中最多只能有<span lang=EN-US>6</span>个。</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -A
  FORWARD -m set --match-set test src,dst</span></code></p>
  <p class=MsoNormal style='line-height:200%'><span style='font-family:"Microsoft YaHei"'>将匹配数据包，对于这些数据包<span
  lang=EN-US>(</span>如果<span lang=EN-US>SET</span>类型为<span lang=EN-US>ipportmap)</span>，源地址和目标端口对可以在指定的集合中找到。如果指定集的集合类型为单维<span
  lang=EN-US>(</span>例如<span lang=EN-US>ipmap)</span>，则该命令将匹配在指定集中可以找到源地址的数据包。</span></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>如果选项与其他扩展的选项不冲突，则可以将选项“<b><span
lang=EN-US>--match-set</span></b>”替换为“<b><span lang=EN-US>--set</span></b>”。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>32</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>socket</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>如果可以通过在数据包上执行套接字查找找到打开的套接字，则他的匹配项。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--transparent</span></b><span
style='font-family:"Microsoft YaHei"'>，忽略非<span lang=EN-US>transparent</span>的包。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>33</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>state</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>当与连接跟踪相结合时，此模块允许访问此数据包的连接跟踪状态。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --state</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>state</u></span><span
style='font-family:"Microsoft YaHei"'>，其中状态是要匹配的连接状态的逗号分隔列表。可能的状态是无效的，这意味着由于某些原因无法识别数据包，其中包括内存不足和<span
lang=EN-US>ICMP</span>错误，这些错误与任何已知的连接不相对应，这意味着该数据包与一个已经在两个方向上看到数据包的连接相关联，新的意思是该数据包已经启动了一个新连接，或以其他方式与没有在两个方向上看到数据包的连接相关联，以及相关的意思是，该数据包正在启动一个新连接，但与现有连接相关联，例如<span
lang=EN-US>FTP</span>数据传输或<span lang=EN-US>ICMP</span>错误。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>34</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>statistic</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>该模块基于一定的统计条件对数据包进行匹配。它支持使用“<span
lang=EN-US>--mode</span>”选项设置的两种不同的模式。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--mode</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>mode</u></span><span
style='font-family:"Microsoft YaHei"'>，设置匹配规则的匹配模式，所支持的模式为随机模式和<span
lang=EN-US>nth</span>模式。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--probability</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>p</u></span><span
style='font-family:"Microsoft YaHei"'>，将随机匹配数据包的概率从<span lang=EN-US>0</span>设置为<span
lang=EN-US>1</span>。它只适用于随机模式。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--every </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>n</span></u><span
style='font-family:"Microsoft YaHei"'>，每第<span lang=EN-US>n</span>包匹配一包。它只适用于<span
lang=EN-US>nth</span>模式。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--packet</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>p</u></span><span
style='font-family:"Microsoft YaHei"'>，为<span lang=EN-US>nth</span>模式设置初始计数器值<span
lang=EN-US>(0&lt;=p&lt;=n-1</span>，默认值<span lang=EN-US>0)</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>35</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>string</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>该模块通过使用某种模式匹配策略来匹配给定的字符串。它需要一个<span
lang=EN-US>Linux</span>内核<span lang=EN-US>&gt;=2.6.14</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--algo {bm|kmp}</span></b><span
style='font-family:"Microsoft YaHei"'>，选择模式匹配策略<span lang=EN-US>(bm=Boyer-Moore, 
kmp=Knuth-Pratt- Morris)</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--from</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>offset</u></span><span
style='font-family:"Microsoft YaHei"'>，设置它开始寻找匹配的偏移量。如果未通过，默认为<span lang=EN-US>0</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--to</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>offset</u></span><span
style='font-family:"Microsoft YaHei"'>，设置它开始寻找匹配的偏移量。如果未通过，则默认为数据包大小。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --string</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>pattern</u></span><span
style='font-family:"Microsoft YaHei"'>，匹配给定的模式。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --hex-string </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>pattern</span></u><span
style='font-family:"Microsoft YaHei"'>，匹配以十六进制表示的给定模式。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>36</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>tcp</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>如果指定了<span lang=EN-US>“<b>--protocol TCP</b>”</span>，则可以使用这些扩展。它提供了以下选项：</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --source-port</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>,<b>--sport</b> <u>port</u>[:<u>port</u>]</span><span
style='font-family:"Microsoft YaHei"'>，源端口或端口范围规范。这可以是服务名称，也可以是端口号。如果省略第一个端口，则假定为<span
lang=EN-US>“0”</span>；如果省略最后一个端口，则假定为<span lang=EN-US>“65535”</span>。如果第一个端口大于第二个端口，它们将被交换</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --destination-port</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>,<b>--dport</b> <u>port</u>[:<u>port</u>]</span><span
style='font-family:"Microsoft YaHei"'>，目的端口或端口范围规范。“<span lang=EN-US>--dport</span>”的方便别名。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --tcp-flags</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>mask</u> <u>comp</u></span><span
style='font-family:"Microsoft YaHei"'>，匹配指定的<span lang=EN-US>TCP</span>标志。第一个参数掩码是我们应该检查的标志，写成逗号分隔列表，第二个参数<span
lang=EN-US>comp</span>是必须设置的以逗号分隔的标志列表。<span lang=EN-US>flag</span>可以是<b><span
lang=EN-US>SYN ACK FIN RST URG PSH ALL NONE</span></b></span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -A
  FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>这个命令只匹配了</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>SYN</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>标志</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --syn</span></b><span
style='font-family:"Microsoft YaHei"'>，只匹配设置了<span lang=EN-US>SYN</span>位，并且清除了<span
lang=EN-US>ACK</span>，<span lang=EN-US>RST</span>，<span lang=EN-US>FIN</span>为的包。等价于“<b><span
lang=EN-US>--tcp-flags SYN,RST,ACK,FIN SYN</span></b>”</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --tcp-option</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> number</span><span
style='font-family:"Microsoft YaHei"'>，如果设置了<span lang=EN-US>tcp</span>选项就匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>37</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>tcpmss</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>这与<span lang=EN-US>TCP</span>标头的<span
lang=EN-US>TCPMSS(</span>最大段大小<span lang=EN-US>)</span>字段匹配。您只能在<span
lang=EN-US>TCP SYN</span>或<span lang=EN-US>SYN/ACK</span>数据包上使用这一点，因为<span
lang=EN-US>MSS</span>只在连接启动时的<span lang=EN-US>TCP</span>握手期间协商。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --mss</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u>[:<u>value</u>]</span><span
style='font-family:"Microsoft YaHei"'>，匹配给定的<span lang=EN-US>tcp mss</span>值或范围。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>38</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>time</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>如果数据包到达时间<span lang=EN-US>/</span>日期在给定范围内，则匹配。所有选项都是可选的，但在指定的时候都是可选的。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--datestart </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>YYYY</span></u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[-<u>MM</u>[-<u>DD</u>[<u>Thh</u>[:<u>mm</u>[:<u>ss</u>]]]]]</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--datestop</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>YYYY</u>[-<u>MM</u>[-<u>DD</u>[<u>Thh</u>[:<u>mm</u>[:<u>ss</u>]]]]]</span><span
style='font-family:"Microsoft YaHei"'>，仅在给定时间内匹配，必须采用<span lang=EN-US>ISO
8601“T”</span>表示法。可能的时间范围是<span lang=EN-US>1970-01-01T00</span>：<span
lang=EN-US>00</span>：<span lang=EN-US>00</span>到<span lang=EN-US>2038-01-19T04</span>：<span
lang=EN-US>17</span>：<span lang=EN-US>07</span>。如果没有指定“<span lang=EN-US>--datestart</span>”或“<span
lang=EN-US>--datestop</span>”，则将分别默认为<span lang=EN-US>1970-01-01</span>和<span
lang=EN-US>2038-01-19</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--timestart</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>hh</u>:<u>mm</u>[:<u>ss</u>]</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--timestop</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>hh</u>:<u>mm</u>[:<u>ss</u>]</span><span
style='font-family:"Microsoft YaHei"'>，只有在指定的白天匹配。可能的时间范围是<span lang=EN-US>00</span>：<span
lang=EN-US>00</span>到<span lang=EN-US>23</span>：<span lang=EN-US>59</span>：<span
lang=EN-US>59</span>。允许前导零<span lang=EN-US>(</span>例如<span lang=EN-US>“06</span>：<span
lang=EN-US>03”)</span>，并正确解释为基数<span lang=EN-US>-10</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --monthdays</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>day</u>[,<u>day</u>...]</span><span
style='font-family:"Microsoft YaHei"'>，只在一个月的指定日期匹配。可能值为<span lang=EN-US>1</span>到<span
lang=EN-US>31</span>。请注意，在没有第<span lang=EN-US>31</span>天的月份中，指定<span
lang=EN-US>31</span>当然不匹配；<span lang=EN-US>28</span>天或<span lang=EN-US>29</span>天的<span
lang=EN-US>2</span>月也是如此。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --weekdays</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>day</u>[,<u>day</u>...]</span><span
style='font-family:"Microsoft YaHei"'>，只有在给定的工作日匹配。可能的值分别是<span lang=EN-US>Mon</span>、<span
lang=EN-US>Tue</span>、<span lang=EN-US>Wed</span>、<span lang=EN-US>Thu</span>、<span
lang=EN-US>Fri</span>、<span lang=EN-US>sat</span>、<span lang=EN-US>Sun</span>或<span
lang=EN-US>1</span>到<span lang=EN-US>7</span>之间的值。您也可以使用两个字符的变体<span
lang=EN-US>(Mo</span>，<span lang=EN-US>Tu</span>等<span lang=EN-US>)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--utc</span></b><span
style='font-family:"Microsoft YaHei"'>，把给<b><span lang=EN-US>--datestart</span>、<span
lang=EN-US>--datestop</span>、<span lang=EN-US>--timestart</span>、<span
lang=EN-US>--timestop</span></b>的时间解释为<span lang=EN-US>UTC</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--localtz</span></b><span
style='font-family:"Microsoft YaHei"'>，把给<b><span lang=EN-US>--datestart</span>、<span
lang=EN-US>--datestop</span>、<span lang=EN-US>--timestart</span>、<span
lang=EN-US>--timestop</span></b>的时间解释为本地时间（默认）。</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>匹配星期天</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>-m time
  --weekdays Sa,Su</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>匹配国家假日</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>-m time
  --datestart 2007-12-24 --datestop 2007-12-27</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>由于停止时间实际上包括在内，因此需要下列停止时间才能与新一天的第一秒钟不匹配：</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>-m time
  --datestart 2007-01-01T17:00 --datestop 2007-01-01T23:59:59</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>午餐时间</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>-m time
  --timestart 12:30 --timestop 13:30</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>这个月的第四个星期五：</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>-m time
  --weekdays Fr --monthdays 22,23,24,25,26,27,28</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>39</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>tos</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块匹配<span lang=EN-US>IPv 4</span>报头中的<span
lang=EN-US>8</span>位服务类型字段<span lang=EN-US>(</span>即包括<span lang=EN-US>IPv 6</span>报头中的<span
lang=EN-US>“</span>优先级<span lang=EN-US>”</span>比特<span lang=EN-US>)</span>或<span
lang=EN-US>(</span>也包括<span lang=EN-US>8</span>位<span lang=EN-US>)</span>优先级字段。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --tos </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>value</span></u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，匹配具有给定<span lang=EN-US>TOS</span>标记值的数据包。如果指定了<span
lang=EN-US>mask</span>，则在比较之前使用<span lang=EN-US>TOS</span>标记进行逻辑分析。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --tos </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>symbol</span></u><span
style='font-family:"Microsoft YaHei"'>，在为<span lang=EN-US>IPv4</span>使用<span
lang=EN-US>tos</span>匹配时，您可以指定一个符号名。可以通过使用“<b><span lang=EN-US>-m tos-h</span></b>”调用<span
lang=EN-US>iptables</span>来获得已识别的<span lang=EN-US>TOS</span>名称的列表。请注意，这意味着掩码为<span
lang=EN-US>0x3F</span>，即除<span lang=EN-US>ECN</span>位外的所有掩码。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>40</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>ttl</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块匹配<span lang=EN-US>ip</span>报头中活动字段的时间。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--ttl-eq</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>ttl</u></span><span
style='font-family:"Microsoft YaHei"'>，如果和给定的<span lang=EN-US>ttl</span>值相等，那么就匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--ttl-gt</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>ttl</u></span><span
style='font-family:"Microsoft YaHei"'>，如果大于给定的<span lang=EN-US>ttl</span>值，那么就匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--ttl-lt</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>ttl</u></span><span
style='font-family:"Microsoft YaHei"'>，如果小于给定的<span lang=EN-US>ttl</span>值，那么就匹配。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>41</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>u32</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>U32</span><span
style='font-family:"Microsoft YaHei"'>测试从数据包中提取的多达<span lang=EN-US>4</span>个字节的数量是否具有指定的值。要提取哪些内容的规范足够通用，可以在给定的偏移量下从<span
lang=EN-US>tcp</span>报头或有效负载中找到数据。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --u32</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>tests</u></span><span
style='font-family:"Microsoft YaHei"'>，该参数相当于下面描述的一种小型语言中的程序。</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>tests := location
  &quot;=&quot; value | tests &quot;&amp;&amp;&quot; location &quot;=&quot;
  value</span></p>
  <p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>value := range | value
  &quot;,&quot; range</span></p>
  <p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>range := number | number
  &quot;:&quot; number</span></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>一个单数，<span lang=EN-US>n</span>，被解释为<span
lang=EN-US>n</span>：<span lang=EN-US>n</span>。<span lang=EN-US>n</span>：<span
lang=EN-US>m</span>被解释为数的范围<span lang=EN-US>&gt;=n</span>和<span lang=EN-US>&lt;=m</span>。<span
lang=EN-US>     </span></span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>location := number |
  location operator number</span></p>
  <p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>operator :=
  &quot;&amp;&quot; | &quot;&lt;&lt;&quot; | &quot;&gt;&gt;&quot; |
  &quot;@&quot;</span></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>操作符‘<span lang=EN-US>&amp;</span>’<span
lang=EN-US>,</span>‘<span lang=EN-US>&lt;&lt;</span>’<span lang=EN-US>,‘&gt;&gt;</span>‘和‘<span
lang=EN-US>&amp;&amp;</span>’均与<span lang=EN-US>C</span>中相同。‘<span lang=EN-US>=</span>’实际上是一个集合成员资格运算符，值语法描述了一个集合。‘<span
lang=EN-US>@</span>’操作符允许进入下一个标头，并在下面进一步描述。目前，对测试的大小有一些人为的实现限制。</span></p>

<p class=MsoNormal style='margin-left:21.0pt;text-indent:21.0pt;line-height:
200%'><b><span lang=EN-US style='font-family:"Microsoft YaHei"'>*</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> u32</span><span
style='font-family:"Microsoft YaHei"'>参数中<span lang=EN-US>“=”</span>不超过<span
lang=EN-US>10</span>个，“<span lang=EN-US>&amp;&amp;</span>”不超过<span lang=EN-US>9</span>个；</span></p>

<p class=MsoNormal style='margin-left:21.0pt;text-indent:21.0pt;line-height:
200%'><b><span lang=EN-US style='font-family:"Microsoft YaHei"'>*</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> </span><span
style='font-family:"Microsoft YaHei"'>每个值不超过<span lang=EN-US>10</span>个范围<span
lang=EN-US>(</span>和<span lang=EN-US>9</span>个逗号<span lang=EN-US>)</span>；</span></p>

<p class=MsoNormal style='margin-left:21.0pt;text-indent:21.0pt'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>*</span></b><span lang=EN-US
style='font-family:"Microsoft YaHei"'> </span><span style='font-family:"Microsoft YaHei"'>每个地点不超过<span
lang=EN-US>10</span>个<span lang=EN-US>number(</span>和<span lang=EN-US>9</span>个操作符<span
lang=EN-US>)</span>；</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>要描述位置的含义，请想象下面解释它的机器。有三个寄存器：<span
lang=EN-US>a</span>是<span lang=EN-US>char*</span>类型，最初<span lang=EN-US>IP</span>报头的地址；<span
lang=EN-US>B</span>和<span lang=EN-US>C</span>是无符号<span lang=EN-US>32</span>位整数，最初为零。指令是：</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>number B = number;</span></p>
  <p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>C = (*(A+B)&lt;&lt;24) +
  (*(A+B+1)&lt;&lt;16) + (*(A+B+2)&lt;&lt;8) + *(A+B+3)</span></p>
  <p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>&amp;number C = C &amp;
  number</span></p>
  <p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>&lt;&lt; number C = C
  &lt;&lt; number</span></p>
  <p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>&gt;&gt; number C = C
  &gt;&gt; number</span></p>
  <p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
  lang=EN-US style='font-family:"Microsoft YaHei"'>@number A = A + C;</span></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>任何对<span lang=EN-US>[SKB-&gt;Data</span>，<span
lang=EN-US>SKB-&gt;End]</span>外部内存的访问都会导致匹配失败。否则，计算结果是<span lang=EN-US>C</span>的最终值。允许使用空白，但在测试中不需要。但是，出现在其中的字符可能需要<span
lang=EN-US>shell</span>引用，因此将参数括在引号中是个好主意。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>例子代码</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>匹配总长度</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>&gt;=256</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>的</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>IP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>数据包。</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>IP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>报头包含一个以字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>2-3</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>为单位的总长度字段。以及使用</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>0xFFFF(</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>给定字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>2-3)</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>，并测试它是否在</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>[0x100</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>：</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>0xFFF]</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>范围内。</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>--u32 &quot;0
  &amp; 0xFFFF = 0x100:0xFFFF&quot;</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='line-height:200%'><span lang=EN-US style='font-family:
"Microsoft YaHei"'>&nbsp;</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>匹配</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ICMP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>数据包与</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ICMP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>类型</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>0</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>。首先测试它是否是</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ICMP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>数据包，真</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>IP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>9(</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>协议</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>)=1</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>--u32 &quot;6
  &amp; 0xFF = 1 &amp;&amp; ...</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>读取字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>6-9</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>，使用</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>&amp;</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>丢弃字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>6-8</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>，并将结果与</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>1</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>进行比较。下一次测试它不是片段。</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>(</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>如果是这样的话，它可能是这样的包的一部分，但我们不能总是说出来。</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>)</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>注：如果您想要匹配</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>IP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>报头之外的任何内容，则通常需要进行此测试。最后</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>6</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>位字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>6</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>和所有字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>7</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>都是</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>0</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>当且仅当这是一个完整的数据包</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>(</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>不是片段</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>)</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>。或者，您可以只测试字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>6</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>的最后</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>5</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>位，从而允许第一个片段。</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>... 4 &amp;
  0x3FFF = 0 &amp;&amp; ...</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>最后一次测试：通过</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>IP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>报头的第一个字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>(</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>类型</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>)</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>是</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>0</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>。这就是我们必须使用</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>@</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>语法的地方。以</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>32</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>位字表示的</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ip</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>报头</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>(Ihl)</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>的长度存储在</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ip</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>报头本身的字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>0</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>的右侧。</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>... 0 &gt;&gt; 22
  &amp; 0x3C @ 0 &gt;&gt; 24 = 0&quot;</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>前</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>0</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>表示读取字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>0-3</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>，</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>&gt;22</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>表示向右移动</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>22</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>位。移动</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>24</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>位将给出第一个字节，所以只有</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>22</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>位是</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>4</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>倍，再加上几个比特。</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>&amp;3C</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>然后删除右边的两个额外位和第一个字节的前四位。例如，如果</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>IHL=5</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>，则</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>IP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>报头长</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>20(4x5)</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>字节。在本例中，字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>0-1</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>为</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>(</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>二进制</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>)xxx0101
  yzzzz</span></code><code><span style='font-size:10.0pt;line-height:200%;
  font-family:DengXian'>，</span></code><code><span lang=EN-US style='font-size:
  10.0pt;line-height:200%;font-family:Menlo'>&gt;22</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>为</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>10</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>位值</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>xxx0101yy</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>，</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>&amp;3C</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>为</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>010100</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>。</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>@</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>意味着将这个数字用作数据包中的新偏移量，并从那里开始读取四个字节。这是</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ICMP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>有效负载的前</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>4</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>个字节，其中</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>0</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>字节是</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ICMP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>类型。因此，我们只需将值</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>24</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>移到右侧，除去第一个字节之外的所有字节，并将结果与</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>0</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>进行比较。</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>&nbsp;</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>TCP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>有效负载字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>8-12</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>是</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>1</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>、</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>2</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>、</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>5</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>或</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>8</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>中的任意一个。首先，我们测试数据包是否是</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>TCP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>数据包</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>(</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>类似于</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ICMP)</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>。</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>--u32 &quot;6
  &amp; 0xFF = 6 &amp;&amp; ...</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>接下来，测试它不是一个片段</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>(</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>与上面相同</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>)</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>。</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>... 0 &gt;&gt; 22
  &amp; 0x3C @ 12 &gt;&gt; 26 &amp; 0x3C @ 8 = 1,2,5,8&quot;</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span style='font-size:
  10.0pt;line-height:200%;font-family:DengXian'>如上面所示，</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>0&gt;22&amp;3C</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>计算</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>IP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>报头中的字节数。</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>@</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>使这成为数据包中的新偏移量，这是</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>TCP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>报头的开始。</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>TCP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>头的长度</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>(</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>同样以</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>32</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>位字表示</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>)</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>是</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>TCP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>头</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>12</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>字节的左半部分。</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>12&gt;26&amp;3C</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>以字节计算这个长度</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>(</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>类似于之前的</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>IP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>报头</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>)</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>。</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>“@”</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>使其成为新的偏移量，这是</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>TCP</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>有效负载的开始。最后，</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>8</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>读取有效负载的字节</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>8-12</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>并</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>=</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>检查结果是否为</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>1</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>、</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>2</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>、</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>5</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>或</span></code><code><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>8</span></code><code><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>中的任何一个。</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>42</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>udp</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>如果指定了<span lang=EN-US>“<b>--protocol udp</b>”</span>，则可以使用这些扩展。它提供了以下选项：</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --source-port,--sport </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>port</span></u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[:<u>port</u>]</span><span
style='font-family:"Microsoft YaHei"'>，源端口或端口范围规范。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>[!] --destination-port</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>,<b>--dport</b> <u>port</u>[:<u>port</u>]</span><span
style='font-family:"Microsoft YaHei"'>，目的端口或端口范围规范。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>43</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>unclean</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块不需要任何选项，而是尝试匹配看起来格式错误或不寻常的数据包。</span></p>

<p class=MsoNormal style='line-height:200%'><span lang=EN-US style='font-family:
"Microsoft YaHei"'>&nbsp;</span></p>

<p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
style='font-family:"Microsoft YaHei"'>4</span></b><b><span style='font-family:
"Microsoft YaHei"'>、目标扩展</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>1</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>AUDIT</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标允许为到达目标的数据包创建审核记录。它可以用来记录接受、丢弃和拒绝的数据包。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--type {accept|drop|reject}</span></b><span
style='font-family:"Microsoft YaHei"'>，设置审计记录类型。</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -N
  AUDIT_DROP</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -A
  AUDIT_DROP -j AUDIT --type drop</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -A
  AUDIT_DROP -j DROP</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>2</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>CHECKSUM</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>这个目标允许有选择地处理损坏的<span lang=EN-US>/</span>旧的应用程序。它只能在<span
lang=EN-US>mangle</span>表上使用。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--checksum-fill</span></b><span
style='font-family:"Microsoft YaHei"'>，计算并填写缺少校验和的数据包中的校验和。如果您需要处理诸如<span
lang=EN-US>dhcp</span>客户端之类的旧应用程序，这些应用程序不能很好地处理校验和卸载，但不希望在设备中禁用校验和卸载，这一点尤其有用。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>3</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>CLASSIFY</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>该模块允许您设置<span lang=EN-US>skb-&gt;</span></span><span
lang=EN-US> </span><span lang=EN-US style='font-family:"Microsoft YaHei"'>priority(</span><span
style='font-family:"Microsoft YaHei"'>从而将数据包分类为特定的<span lang=EN-US>CBQ</span>类<span
lang=EN-US>)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--set-class </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>major</span></u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>:<u>minor</u></span><span
style='font-family:"Microsoft YaHei"'>，设置主类和次要类值。即使没有提供<span lang=EN-US>0x</span>前缀，这些值也总是被解释为十六进制。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>4</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>CLUSTERIP</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块允许您配置一个简单的节点集群，这些节点共享特定的<span
lang=EN-US>IP</span>和<span lang=EN-US>MAC</span>地址，而无需在其前面显式负载均衡器。连接是静态地分布在此集群中的节点之间的。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--new</span></b><span
style='font-family:"Microsoft YaHei"'>，创建一个新的集群<span lang=EN-US>IP</span>。对于给定的集群<span
lang=EN-US>IP</span>，始终必须在第一条规则上设置这一项。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--hashmode</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>mode</u></span><span
style='font-family:"Microsoft YaHei"'>，指定<span lang=EN-US>hash</span>模式，可以是：<b><span
lang=EN-US>sourceip</span></b>，<b><span lang=EN-US>sourceip-sourceport</span></b>，<b><span
lang=EN-US>sourceip-sourceport-destport</span></b>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--clustermac</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>mac</u></span><span
style='font-family:"Microsoft YaHei"'>，指定集群<span lang=EN-US>IP MAC</span>地址。必须是链路层多播地址。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--total-nodes</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>num</u></span><span
style='font-family:"Microsoft YaHei"'>，该集群中节点总数的数目。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--local-node</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>num</u></span><span
style='font-family:"Microsoft YaHei"'>，此集群中的本地节点号。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--hash-init </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>rnd</span></u><span
style='font-family:"Microsoft YaHei"'>，指定用于哈希初始化的随机种子。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>5</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>CONNMARK</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块设置与连接关联的<span lang=EN-US>netfilter</span>标记值。标记宽<span
lang=EN-US>32</span>位。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--set-xmark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，将<span lang=EN-US>mask</span>定义的为归零，<span
lang=EN-US>value</span>定义的位和<span lang=EN-US>ctmark</span>异或。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--save-mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> [<b>--nfmask</b> <u>nfmask</u>]
[--ctmask ctmask]</span><span style='font-family:"Microsoft YaHei"'>，使用给定的掩码将数据包标记<span
lang=EN-US>(Nfmark)</span>复制到连接标记<span lang=EN-US>(Ctmark)</span>。新的<span
lang=EN-US>nfmark</span>值确定如下：</span></p>

<p class=MsoNormal style='margin-left:21.0pt;text-indent:21.0pt;line-height:
200%'><span lang=EN-US style='font-family:"Microsoft YaHei"'>ctmark = (ctmark
&amp; ~ctmask) ^ (nfmark &amp; nfmask)</span></p>

<p class=MsoNormal style='margin-left:21.0pt;text-indent:21.0pt;line-height:
200%'><span style='font-family:"Microsoft YaHei"'>例如，<span lang=EN-US>ctmask</span>定义要清除哪些位，<span
lang=EN-US>nfmask</span>中要将哪些<span lang=EN-US>nfmark</span>为和<span lang=EN-US>ctmark</span>进行异或。默认为<span
lang=EN-US>0xFFFFFFFF</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--restore-mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> [<b>--nfmask</b> nfmask]
[--ctmask ctmask]</span><span style='font-family:"Microsoft YaHei"'>，只有在<span
lang=EN-US>mangle</span>表中使用。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--and-mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>bits</u></span><span
style='font-family:"Microsoft YaHei"'>，<span lang=EN-US>ctmark</span>和<span
lang=EN-US>bits</span>进行与操作，助记符：<span lang=EN-US>--set-xmark 0/invbits</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--or-mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>bits</u></span><span
style='font-family:"Microsoft YaHei"'>，<span lang=EN-US>ctmark</span>和<span
lang=EN-US>bits</span>进行或操作，助记符：<span lang=EN-US>--set-xmark bits/bits</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--xor-mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>bits</u></span><span
style='font-family:"Microsoft YaHei"'>，<span lang=EN-US>ctmark</span>和<span
lang=EN-US>bits</span>进行异或操作，助记符：<span lang=EN-US>--set-xmark bits/0</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--set-mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，置位连接标记。如果指定了掩码，则只修改掩码中设置的位。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--save-mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> [<b>--mask</b> <u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，将<span lang=EN-US>nfmark</span>复制到<span
lang=EN-US>ctmark</span>。如果指定了掩码，则只复制这些位。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--restore-mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> [<b>--mask</b> <u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，将<span lang=EN-US>cctmark</span>复制到<span
lang=EN-US>nfmark</span>。如果指定了掩码，则仅复制这些位。这在<span lang=EN-US>mangle</span>表中是有效的</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>6</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>CONNSECMARK</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块将安全标记从数据包复制到连接<span lang=EN-US>(</span>如果没有标记<span
lang=EN-US>)</span>，从连接复制回数据包<span lang=EN-US>(</span>也只有在未标记的情况下<span
lang=EN-US>)</span>。通常与<span lang=EN-US>SECMARK</span>一起使用，它仅在<span lang=EN-US>mangle</span>表中有效。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--save</span></b><span
style='font-family:"Microsoft YaHei"'>，如果数据包有安全标记，如果未标记连接，请将其复制到连接中。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--restore</span></b><span
style='font-family:"Microsoft YaHei"'>，如果数据包没有安全标记，而连接有安全标记，则将安全标记从连接复制到数据包。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>7</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>DNAT</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标仅在<b><span lang=EN-US>nat</span></b>表、<span
lang=EN-US>PREROUTING</span>和<span lang=EN-US>OUTPUT</span>链以及仅从这些链调用的用户定义链中有效。它指定应修改数据包的目标地址<span
lang=EN-US>(</span>并且此连接中的所有未来数据包也将被破坏<span lang=EN-US>)</span>，并且应该停止检查规则。它需要以下一种选择：</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--to-destination</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> [<u>ipaddr</u>][-<u>ipaddr</u>][:<u>port</u>[-<u>port</u>]]</span><span
style='font-family:"Microsoft YaHei"'>，它可以指定单个新的目标<span lang=EN-US>IP</span>地址、包含的<span
lang=EN-US>IP</span>地址范围以及可选的端口范围<span lang=EN-US>(</span>只有在规则还指定“<b><span
lang=EN-US>-p tcp</span></b>”或“<b><span lang=EN-US>-p udp</span></b>”时才有效<span
lang=EN-US>)</span>。如果未指定端口范围，则永远不会修改目标端口。如果未指定<span lang=EN-US>IP</span>地址，则只修改目标端口。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--random</span></b><span
style='font-family:"Microsoft YaHei"'>，如果使用选项“<span lang=EN-US>--random</span>”，则端口映射将是随机的<span
lang=EN-US>(</span>内核<span lang=EN-US>&gt;=2.6.22)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--persistent</span></b><span
style='font-family:"Microsoft YaHei"'>，为每个连接提供相同的源<span lang=EN-US>/</span>目标地址。这取代了同一个目标。对持久映射的支持可从<span
lang=EN-US>2.6.29-Rc2</span>中获得。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>8</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>DSCP</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标允许在<span lang=EN-US>IPv 4</span>数据包的<span
lang=EN-US>TOS</span>报头中更改<span lang=EN-US>DSCP</span>位的值。由于这操作一个数据包，它只能在<span
lang=EN-US>mangle</span>表中使用。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--set-dscp</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u></span><span
style='font-family:"Microsoft YaHei"'>，将<span lang=EN-US>DSCP</span>字段设置为数字值<span
lang=EN-US>(</span>可以是十进制或十六进制<span lang=EN-US>)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--set-dscp-class</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>class</u></span><span
style='font-family:"Microsoft YaHei"'>，将<span lang=EN-US>DSCP</span>字段设置为<span
lang=EN-US>DiffServ</span>类。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>9</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>ECN</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>这个目标允许有选择地围绕已知的<b><span lang=EN-US>ECN</span></b>黑洞工作。它只能在<span
lang=EN-US>mangle</span>表中使用。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--ecn-tcp-remove</span></b><span
style='font-family:"Microsoft YaHei"'>，从<span lang=EN-US>TCP</span>报头中删除所有<span
lang=EN-US>ECN</span>位。当然，它只能与“<b><span lang=EN-US>-p tcp</span></b>”一起使用。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>10</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>LOG</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>打开匹配数据包的内核日志记录。当将此选项设置为规则时，<span
lang=EN-US>Linux</span>内核将通过内核日志<span lang=EN-US>(</span>在其中可以使用<span
lang=EN-US>dmesg</span>或<span lang=EN-US>sy d(8)</span>读取<span lang=EN-US>)</span>打印所有匹配数据包<span
lang=EN-US>(</span>如大多数<span lang=EN-US>IP</span>报头字段<span lang=EN-US>)</span>上的一些信息。这是一个<span
lang=EN-US>“</span>非终止目标<span lang=EN-US>”</span>，即在下一个规则中继续进行规则遍历。因此，如果要记录拒绝的数据包，请使用两个具有相同匹配条件的单独规则，首先使用目标日志，然后删除<span
lang=EN-US>(</span>或拒绝<span lang=EN-US>)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--log-level</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>level</u></span><span
style='font-family:"Microsoft YaHei"'>，日志记录级别。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--log-prefix</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>prefix</u></span><span
style='font-family:"Microsoft YaHei"'>，前缀为指定<u><span lang=EN-US>prefix</span></u>的日志消息；长度可达<span
lang=EN-US>29</span>个字母，用于区分日志中的消息。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--log-tcp-sequence</span></b><span
style='font-family:"Microsoft YaHei"'>，记录<span lang=EN-US>TCP</span>序列号。如果用户可以读取日志，则这是一种安全风险。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--log-tcp-options</span></b><span
style='font-family:"Microsoft YaHei"'>，从<span lang=EN-US>TCP</span>数据包报头<span
lang=EN-US>log</span>选项</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--log-ip-options</span></b><span
style='font-family:"Microsoft YaHei"'>，从<span lang=EN-US>IP</span>数据包报头<span
lang=EN-US>log</span>选项</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--log-uid</span></b><span
style='font-family:"Microsoft YaHei"'>，记录生成数据包的进程的<span lang=EN-US>userid</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>11</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>MARK</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标用于设置与数据包关联的<span lang=EN-US>Netfilter</span>标记值。目标只能在<span
lang=EN-US>mangle</span>表中使用。例如，它可以与基于<span lang=EN-US>fwmark</span>的路由一起使用<span
lang=EN-US>(</span>需要<span lang=EN-US>iucte 2)</span>。标记字段宽<span lang=EN-US>32</span>位。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--set-xmark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，将掩码和<span lang=EN-US>XOR</span>值给出的位归零到数据包标记<span
lang=EN-US>(“nfmark”)</span>中。如果省略掩码，则假定为<span lang=EN-US>0xFFFFFFFF</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--set-mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，将掩码和<span lang=EN-US>OR</span>值给出的位归零到数据包标记<span
lang=EN-US>(“nfmark”)</span>中。如果省略掩码，则假定为<span lang=EN-US>0xFFFFFFFF</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--and-mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>bits</u></span><span
style='font-family:"Microsoft YaHei"'>，将<span lang=EN-US>nfmark</span>和<u><span
lang=EN-US>bits</span></u>进行与操作，助记符：<b><span lang=EN-US>--set-xmark</span></b><span
lang=EN-US>  0/invbits</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--or-mark </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>bits</span></u><span
style='font-family:"Microsoft YaHei"'>，将<span lang=EN-US>nfmark</span>和<u><span
lang=EN-US>bits</span></u>进行或操作，助记符：<b><span lang=EN-US>--set-xmark</span></b><span
lang=EN-US>  bits/bits</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--xor-mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>bits</u></span><span
style='font-family:"Microsoft YaHei"'>，将<span lang=EN-US>nfmark</span>和<u><span
lang=EN-US>bits</span></u>进行异或操作，助记符：<b><span lang=EN-US>--set-xmark</span></b><span
lang=EN-US>  bits/0</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>12</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>MASQUERADE</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标仅在<span lang=EN-US>NAT</span>表中的<span
lang=EN-US>POSTROUTING</span>链中有效。它应该只用于动态分配的<span lang=EN-US>IP(</span>拨号<span
lang=EN-US>)</span>连接：如果您有一个静态<span lang=EN-US>IP</span>地址，则应该使用<span
lang=EN-US>SNAT</span>目标。伪装相当于指定一个映射到数据包将要输出的接口的<span lang=EN-US>IP</span>地址，但也会导致连接在接口下降时被遗忘。当下一个拨号不太可能具有相同的接口地址时，这是正确的行为<span
lang=EN-US>(</span>因此，任何已建立的连接无论如何都会丢失<span lang=EN-US>)</span>。只有一个选择：</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--to-ports</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>port</u>[-<u>port</u>]</span><span
style='font-family:"Microsoft YaHei"'>，这指定了要使用的一系列源端口，覆盖默认的<span lang=EN-US>SNAT</span>源端口<span
lang=EN-US>-</span>选择启发式<span lang=EN-US>(</span>见上文<span lang=EN-US>)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--random</span></b><span
style='font-family:"Microsoft YaHei"'>，随机化源端口映射，如果使用选项<span lang=EN-US>-</span>随机，则端口映射将是随机的<span
lang=EN-US>(</span>内核<span lang=EN-US>&gt;=2.6.21)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>13</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>MIRROR</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>这是一个实验演示目标，它反转<span lang=EN-US>IP</span>报头中的源字段和目标字段，并重新传输数据包。它仅在输入链、前向链和<span
lang=EN-US>PREROUTING</span>链以及仅从这些链调用的用户定义链中有效。请注意，任何数据包过滤链、连接跟踪或<span
lang=EN-US>NAT</span>都看不到传出数据包，以避免循环和其他问题。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>14</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>NETMAP</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标允许您静态地将整个地址网络映射到另一个地址网络。它只能从<span
lang=EN-US>NAT</span>表中的规则中使用。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--to</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>address</u>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，要映射到的网络地址。生成的地址将以下方式构造：掩码中的所有位都是从新的<span
lang=EN-US>“</span>地址<span lang=EN-US>”</span>中填充的。掩码中的所有零位都是从原始地址填充的。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>15</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>NFLOG</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标提供匹配数据包的日志记录。当为规则设置此目标时，<span
lang=EN-US>Linux</span>内核将数据包传递给加载的日志后端以记录数据包。这通常与<span lang=EN-US>nfnetlink_log</span>作为日志后端结合使用，后者将通过<span
lang=EN-US>NetLink</span>套接字将数据包多播到指定的多播组。一个或多个用户空间进程可以订阅组以接收分组。与日志一样，这是一个不终止的目标，即在下一个规则中继续进行规则遍历。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--nflog-group</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>nlgroup</u></span><span
style='font-family:"Microsoft YaHei"'>，数据包所在的<span lang=EN-US>NetLink</span>组<span
lang=EN-US>(1~2^32-1)(</span>仅适用于<span lang=EN-US>nfnetlink_log)</span>。默认值为<span
lang=EN-US>0</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--nflog-prefix </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>prefix</span></u><span
style='font-family:"Microsoft YaHei"'>，一个前缀字符串，包含在日志消息中，长度可达<span lang=EN-US>64</span>个字符，用于区分日志中的消息。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--nflog-range</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>size</u></span><span
style='font-family:"Microsoft YaHei"'>，要复制到用户空间的字节数<span lang=EN-US>(</span>仅适用于<span
lang=EN-US>nfnetlink_log)</span>。<span lang=EN-US>nfnetlink_log</span>实例可以指定它们自己的范围，此选项将重写它。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--nflog-threshold</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>size</u></span><span
style='font-family:"Microsoft YaHei"'>，在将数据包发送到用户空间<span lang=EN-US>(</span>仅适用于<span
lang=EN-US>nfnetlink_log)</span>之前，要在内核中排队的数据包数。较高的值会减少每个数据包的开销，但会增加延迟，直到数据包到达用户空间为止。默认值为<span
lang=EN-US>1</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>16</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>NFQUEUE</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标是<b><span lang=EN-US>QUEUE</span></b>目标的扩展。与<b><span
lang=EN-US>QUEUE</span></b>相反，它允许您将数据包放入任何特定队列中，该队列由其<span lang=EN-US>16</span>位队列号标识。它只能与内核版本<span
lang=EN-US>2.6.14</span>或更高版本一起使用，因为它需要<span lang=EN-US>nfnetlink_Queue</span>内核支持。队列平衡选项在<span
lang=EN-US>Linux2.6.31</span>中添加，队列旁路在<span lang=EN-US>2.6.39</span>中添加。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--queue-num </span></b><u><span
lang=EN-US style='font-family:"Microsoft YaHei"'>value</span></u><span
style='font-family:"Microsoft YaHei"'>，这指定要使用的队列号。有效队列号为<span lang=EN-US>0</span>至<span
lang=EN-US>65535</span>。默认值为<span lang=EN-US>0</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--queue-balance</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u>:<u>value</u></span><span
style='font-family:"Microsoft YaHei"'>，这指定要使用的队列范围。然后在给定的队列中平衡数据包。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--queue-bypass</span></b><span
style='font-family:"Microsoft YaHei"'>，默认情况下，如果在<span lang=EN-US>NFQUEUE</span>上没有用户空间程序侦听，那么所有要排队的数据包都会被丢弃。当使用此选项时，将悄悄绕过<span
lang=EN-US>NFQUEUE</span>规则。包将转到下一个规则。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>17</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>NOTRACK</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标禁用与该规则匹配的所有数据包的连接跟踪，只能在<b><span
lang=EN-US>raw</span></b>表中使用。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>18</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>RATEEST</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>RATEEST</span><span
style='font-family:"Microsoft YaHei"'>目标收集统计数据，执行速率估计计算，并将结果保存起来，以便使用最优匹配进行以后的评估。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--rateest-name</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>name</u></span><span
style='font-family:"Microsoft YaHei"'>，将匹配的数据包计数到按名称引用的池中，这是可以自由选择的。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--rateest-interval</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>amount</u>{s|ms|us}</span><span
style='font-family:"Microsoft YaHei"'>，速率测量间隔，以秒、毫秒或微秒为单位。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--rateest-ewmalog</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u></span><span
style='font-family:"Microsoft YaHei"'>，速率测量平均时间常数。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>19</span><span
style='font-family:"Microsoft YaHei"'>）<span lang=EN-US>REDIRECT</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标仅在<span lang=EN-US>NAT</span>表、<span
lang=EN-US>PREROUTING</span>和输出链以及仅从这些链调用的用户定义链中有效。它将数据包重定向到机器本身，方法是将目标<span
lang=EN-US>IP</span>更改为传入接口的主地址<span lang=EN-US>(</span>本地生成的数据包映射到<span
lang=EN-US>127.0.0.1</span>地址<span lang=EN-US>)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--to-ports port[-port]</span><span
style='font-family:"Microsoft YaHei"'>，这将指定要使用的目的端口或端口范围：否则，目标端口将永远不会更改。只有配合选项“<span
lang=EN-US>-p tcp</span>”和“<span lang=EN-US>-p udp</span>”才有用。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--random</span><span
style='font-family:"Microsoft YaHei"'>，如果使用选项“<span lang=EN-US>--random</span>”，则端口映射将是随机的<span
lang=EN-US>(</span>内核<span lang=EN-US>&gt;=2.6.22)</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>20</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>REJECT</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>这用于响应匹配的数据包发送错误数据包：否则，它等同于丢弃，因此它是一个终止目标，结束规则遍历。此目标仅在输入、前向和输出链以及用户定义的仅从这些链调用的链中有效。以下选项控制返回的错误数据包的性质：</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--reject-with</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> type</span><span
style='font-family:"Microsoft YaHei"'>，<span lang=EN-US>type</span>可以是<span
lang=EN-US>icmp-net-unreachable</span>， <span lang=EN-US>icmp-host-unreachabl</span>，<span
lang=EN-US>icmp-port-unreachable</span>，<span lang=EN-US>icmp-proto-unreachable</span>，<span
lang=EN-US>icmp-net-prohibited</span>，<span lang=EN-US>icmp-host-prohibited</span>，<span
lang=EN-US>icmp-admin-prohibited</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>21</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>SAME</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>类似于<b><span lang=EN-US>SNAT/DNAT</span></b>，取决于链：它接受一系列地址“<span
lang=EN-US>--to 1.2.3.4-1.2.3.7</span>”。为每个连接提供相同的源<span lang=EN-US>/</span>目标地址。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--to</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>ipaddr</u>[-<u>ipaddr</u>]</span><span
style='font-family:"Microsoft YaHei"'>，要将源映射到的地址。可以为多个范围指定不止一次。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--nodst</span></b><span
style='font-family:"Microsoft YaHei"'>，在选择新的源<span lang=EN-US>-ip</span>时，不要在计算中使用目标<span
lang=EN-US>-ip</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--random</span></b><span
style='font-family:"Microsoft YaHei"'>，端口映射将强制随机化，以避免基于端口预测的攻击<span lang=EN-US>(</span>内核<span
lang=EN-US>&gt;=2.6.21)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>22</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>SECMARK</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>这用于设置与数据包关联的安全标记值，以供安全子系统<span
lang=EN-US>(</span>如<span lang=EN-US>SELinux)</span>使用。它只在残缺表中有效。标记宽<span
lang=EN-US>32</span>位。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--selctx</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>security_context</u></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>23</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>SET</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块从<span lang=EN-US>ip</span>集中添加和<span
lang=EN-US>/</span>或删除可由<span lang=EN-US>ipset(8)</span>定义的项。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--add-set</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>setname</u> <u>flag</u>[,<u>flag</u>...]</span><span
style='font-family:"Microsoft YaHei"'>，将数据包的地址<span lang=EN-US>/</span>端口添加到集合中</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--del-set</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>setname</u> <u>flag</u>[,<u>flag</u>...]</span><span
style='font-family:"Microsoft YaHei"'>，从集合中删除数据包的地址<span lang=EN-US>/</span>端口</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>24</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>SNAT</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标仅在<span lang=EN-US>NAT</span>表中的<span
lang=EN-US>POSTROUTING</span>链中有效。它指定应该修改数据包的源地址<span lang=EN-US>(</span>并且这个连接中的所有未来数据包也将被破坏<span
lang=EN-US>)</span>，并且应该停止检查规则。它需要一种选择</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--to-source</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>ipaddr</u>[-<u>ipaddr</u>][:<u>port</u>[-<u>port</u>]]</span><span
style='font-family:"Microsoft YaHei"'>，它可以指定单个新的源<span lang=EN-US>IP</span>地址、包含的<span
lang=EN-US>IP</span>地址范围以及可选的端口范围<span lang=EN-US>(</span>只有在规则还指定<span
lang=EN-US>-p TCP</span>或<span lang=EN-US>-p UDP</span>时才有效<span lang=EN-US>)</span>。如果未指定端口范围，则<span
lang=EN-US>512</span>以下的源端口将映射到<span lang=EN-US>512</span>以下的其他端口：<span
lang=EN-US>512</span>和<span lang=EN-US>1023</span>之间的端口将映射到<span lang=EN-US>1024</span>以下的端口，而其他端口将映射到<span
lang=EN-US>1024</span>或以上端口。如有可能，不会更改端口。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--random</span></b><span
style='font-family:"Microsoft YaHei"'>，如果使用了选项“<b><span lang=EN-US>--random</span></b>”，则端口映射将被随机化（内核<span
lang=EN-US>&gt;=2.6.21</span>）。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--persistent</span></b><span
style='font-family:"Microsoft YaHei"'>，为每个连接提供相同的源<span lang=EN-US>/</span>目标地址。这取代了同一个目标。对持久映射的支持可从<span
lang=EN-US>2.6.29-Rc2</span>中获得</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>25</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>TCPMMS</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标允许更改<span lang=EN-US>TCP SYN</span>数据包的<span
lang=EN-US>MSS</span>值，以控制该连接的最大大小<span lang=EN-US>(</span>通常将其限制为输出接口的<span
lang=EN-US>MTU</span>减去<span lang=EN-US>40</span>（<span lang=EN-US>ipv4</span>）或者减去<span
lang=EN-US>60</span>（<span lang=EN-US>ipv6</span>）。当然，它只能与<span lang=EN-US>-p
TCP</span>一起使用。它仅在<span lang=EN-US>mangle</span>表中有效。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>该目标用于克服阻碍<span lang=EN-US>“ICMP</span>碎片需要<span
lang=EN-US>”</span>或<span lang=EN-US>“ICMPv 6</span>数据包太大<span lang=EN-US>”</span>数据包的犯罪行为。这个问题的症状是，<span
lang=EN-US>Linux</span>防火墙<span lang=EN-US>/</span>路由器的所有功能都很好，但是它背后的机器永远不能交换大数据包：<span
lang=EN-US>Web</span>浏览器连接，然后挂起没有收到的数据；小邮件工作正常，但大型电子邮件挂着；<span lang=EN-US>SSH</span>工作正常，但<span
lang=EN-US>scp</span>在初次握手后挂起。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>解决办法：激活此选项并将规则添加到防火墙配置中，如</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=819 valign=top style='width:818.9pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>iptables -t mangle
  -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--set-mss</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u></span><span
style='font-family:"Microsoft YaHei"'>，显式地将<span lang=EN-US>MSS</span>选项设置为指定的值。如果数据包的<span
lang=EN-US>MSS</span>已经低于值，则不会增加<span lang=EN-US>(</span>从<span lang=EN-US>Linux2.6.25</span>开始<span
lang=EN-US>)</span>，以避免主机依赖适当的<span lang=EN-US>MSS</span>出现更多问题</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--clamp-mss-to-pmtu</span></b><span
style='font-family:"Microsoft YaHei"'>，自动将<span lang=EN-US>MSS</span>值夹到<span
lang=EN-US>(IPv4</span>的<span lang=EN-US>PATH_MTU-40</span>；<span lang=EN-US>IPv
6</span>的<span lang=EN-US>PATH_MTU-60)</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>26</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>TCPOPTSTRIP</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标将从<span lang=EN-US>TCP</span>数据包中删除<span
lang=EN-US>TCP</span>选项。<span lang=EN-US>(</span>它实际上将以无操作代替。<span lang=EN-US>)</span>因此，您需要添加“<b><span
lang=EN-US>-p tcp</span></b>”参数。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--strip-options</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>option</u>[,<u>option</u>...]</span><span
style='font-family:"Microsoft YaHei"'>，去掉给定的选项。这些选项可以由<span lang=EN-US>TCP</span>选项号或符号名称指定。可以通过使用“<b><span
lang=EN-US>-j TCPOPTSTRIP -h</span></b>”调用<span lang=EN-US>iptable</span>来获得可识别选项的列表。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>27</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>TOS</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此模块在<span lang=EN-US>IPv 4</span>报头中设置服务类型字段<span
lang=EN-US>(</span>包括<span lang=EN-US>“</span>优先级<span lang=EN-US>”</span>位<span
lang=EN-US>)</span>或在<span lang=EN-US>IPv 6</span>报头中设置优先级字段。注意，<span
lang=EN-US>TOS</span>与<span lang=EN-US>DSCP</span>和<span lang=EN-US>ECN</span>共享相同的位。<span
lang=EN-US>tos</span>目标仅在<span lang=EN-US>mangle</span>表中有效。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--set-tos</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，将掩码和<span lang=EN-US>XOR</span>值给出的位归零到<span
lang=EN-US>TOS/Priority</span>字段中。如果省略掩码，则假定为<span lang=EN-US>0 xff</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--set-tos</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>symbol</u></span><span
style='font-family:"Microsoft YaHei"'>，在为<span lang=EN-US>IPv4</span>使用<span
lang=EN-US>TOS</span>目标时，可以指定一个符号名。它暗示了<span lang=EN-US>0xFF</span>的掩码。可以通过使用“<b><span
lang=EN-US>-j TOS -h</span></b>”调用<span lang=EN-US>iptables</span>来获得已识别的<span
lang=EN-US>TOS</span>名称的列表。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--and-tos</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>bits</u></span><span
style='font-family:"Microsoft YaHei"'>，<u><span lang=EN-US>bits</span></u>和<span
lang=EN-US>TOS</span>执行与操作。<span lang=EN-US>(</span>助记符用于“<span lang=EN-US>--set-tos
0/invbits</span>”，其中<span lang=EN-US>inbit</span>是位的二进制否定。<span lang=EN-US>)</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--or-tos</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>bits</u></span><span
style='font-family:"Microsoft YaHei"'>，<u><span lang=EN-US>bits</span></u>和<span
lang=EN-US>TOS</span>执行或操作。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--xor-tos</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>bits</u></span><span
style='font-family:"Microsoft YaHei"'>，<u><span lang=EN-US>bits</span></u>和<span
lang=EN-US>TOS</span>执行异或操作。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>28</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>TPROXY</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标仅在<span lang=EN-US>mangle</span>表、<span
lang=EN-US>PREROUTING</span>链和用户定义链中有效，这些链仅从该链调用。它将数据包重定向到本地套接字，而不以任何方式更改数据包报头。它还可以更改标记值，然后在高级路由规则中使用。它有三个选项：</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--on-port</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>port</u></span><span
style='font-family:"Microsoft YaHei"'>，这指定要使用的目标端口。这是必需的选项，<span lang=EN-US>0</span>表示新的目标端口与原始端口相同。这只有在规则还指定“<b><span
lang=EN-US>-p tcp</span></b>“或”<b><span lang=EN-US>-p udp</span></b>“时才有效。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--on-ip</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>address</u></span><span
style='font-family:"Microsoft YaHei"'>，这指定要使用的目标地址。默认情况下，该地址是传入接口的<span
lang=EN-US>ip</span>地址。这只有在规则还指定“<b><span lang=EN-US>-p tcp</span></b>“或”<b><span
lang=EN-US>-p udp</span></b>“时才有效。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--tproxy-mark</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u>[/<u>mask</u>]</span><span
style='font-family:"Microsoft YaHei"'>，用给定的值<span lang=EN-US>/</span>掩码标记数据包。这里的<span
lang=EN-US>fwmark</span>值集可以被高级路由使用。（透明代理工作所必需的：否则这些数据包将被转发，这可能不是您想要的。）</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>29</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>TRACE</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标标记<span lang=EN-US>Packes</span>，以便内核在遍历表、链、规则时记录与数据包匹配的每条规则。<span
lang=EN-US>(</span>日志记录需要<span lang=EN-US>ipt_log</span>或<span lang=EN-US>ip6t_log</span>模块<span
lang=EN-US>)</span>。数据包以字符串前缀记录：<span lang=EN-US>“TRACE</span>：<span
lang=EN-US>tablename</span>：<span lang=EN-US>chainname</span>：<span lang=EN-US>type</span>：<span
lang=EN-US>ruenum”</span>，其中<span lang=EN-US>type</span>可以是普通规则的<span
lang=EN-US>“rule”</span>，用户定义的链末尾的隐式规则可以是<span lang=EN-US>“return”</span>，内置链的策略可以是<span
lang=EN-US>“policy”</span>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>只能在<span lang=EN-US>raw</span>表中使用。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>&nbsp;</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>30</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>TTL</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>这用于修改<span lang=EN-US>IPv 4 TTL</span>头字段。<span
lang=EN-US>TTL</span>字段确定数据包可以遍历多少跳<span lang=EN-US>(</span>路由器<span
lang=EN-US>)</span>，直到超过生存时间。设置或递增<span lang=EN-US>ttl</span>字段可能非常危险，因此应不惜任何代价加以避免。不要在离开本地网络的数据包上设置或增加值！</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--ttl-set</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u></span><span
style='font-family:"Microsoft YaHei"'>，设置<span lang=EN-US>TTL</span>值为<u><span
lang=EN-US>value</span></u>。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--ttl-dec</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u></span><span
style='font-family:"Microsoft YaHei"'>，减少<span lang=EN-US>TTL</span>的值<u><span
lang=EN-US>value</span></u>次。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--ttl-inc</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>value</u></span><span
style='font-family:"Microsoft YaHei"'>，增加<span lang=EN-US>TTL</span>的值<u><span
lang=EN-US>value</span></u>次。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>&nbsp;</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>31</span><span
style='font-family:"Microsoft YaHei"'>）<b><span lang=EN-US>ULOG</span></b></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
style='font-family:"Microsoft YaHei"'>此目标提供匹配数据包的用户空间日志记录。当为规则设置此目标时，<span
lang=EN-US>Linux</span>内核将通过<span lang=EN-US>NetLink</span>套接字对此数据包进行多播。然后，一个或多个用户空间进程可以订阅各种多播组并接收分组。与日志一样，这是一个<span
lang=EN-US>“</span>不终止的目标<span lang=EN-US>”</span>，即在下一个规则中继续进行规则遍历。</span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--ulog-nlgroup</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>nlgroup</u></span><span
style='font-family:"Microsoft YaHei"'>，这指定了将数据包发送到的<span lang=EN-US>netlink</span>组<span
lang=EN-US>(1-32)</span>。默认值为<span lang=EN-US>1</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><b><span
lang=EN-US style='font-family:"Microsoft YaHei"'>--ulog-prefix</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>prefix</u></span><span
style='font-family:"Microsoft YaHei"'>，前缀为指定前缀的日志消息；长度可达<span lang=EN-US>32</span>个字符，用于区分日志中的消息。</span></p>

<p class=MsoNormal style='text-indent:21.0pt'><b><span lang=EN-US
style='font-family:"Microsoft YaHei"'>--ulog-cprange</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>size</u></span><span
style='font-family:"Microsoft YaHei"'>，要复制到用户空间的字节数。值为<span lang=EN-US>0</span>总是复制整个数据包，而不考虑其大小。默认值为<span
lang=EN-US>0</span></span></p>

<p class=MsoNormal style='text-indent:21.0pt'><b><span lang=EN-US
style='font-family:"Microsoft YaHei"'>--ulog-qthreshold</span></b><span
lang=EN-US style='font-family:"Microsoft YaHei"'> <u>size</u></span><span
style='font-family:"Microsoft YaHei"'>，内核中要排队的数据包数。例如，将此值设置为<span lang=EN-US>10</span>，在内核内累加<span
lang=EN-US>10</span>个数据包，并将它们作为一个<span lang=EN-US>NetLink</span>多部分消息传输到用户空间。默认值为<span
lang=EN-US>1(</span>用于向后兼容性<span lang=EN-US>)</span></span></p>

<p class=MsoNormal style='line-height:200%'><span lang=EN-US style='font-family:
"Microsoft YaHei"'>&nbsp;</span></p>

<p class=MsoNormal style='line-height:200%'><b><span lang=EN-US
style='font-family:"Microsoft YaHei"'>5</span></b><b><span style='font-family:
"Microsoft YaHei"'>、实例</span></b></p>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>1</span><span
style='font-family:"Microsoft YaHei"'>）显示<span lang=EN-US>filter</span>表的记录 </span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=836 valign=top style='width:836.15pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>[root@localhost ~]#<b>
  iptables -t filter –L                //</b></span></code><code><b><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>显示指定表的记录</span></b></code></p>
  <p class=MsoNormal style='line-height:200%'><code><b><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>Chain INPUT
  (policy ACCEPT)</span></b></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>target     prot
  opt source               destination         </span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ACCEPT     all 
  --  anywhere             anywhere            state RELATED,ESTABLISHED </span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ACCEPT     icmp
  --  anywhere             anywhere                  </span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>…</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><b><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>Chain FORWARD
  (policy ACCEPT)</span></b></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>target     prot
  opt source               destination         </span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ACCEPT     all 
  --  anywhere             anywhere            state RELATED,ESTABLISHED </span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ACCEPT     icmp
  --  anywhere             anywhere            </span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>…</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><b><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>Chain OUTPUT
  (policy ACCEPT)</span></b></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>target     prot
  opt source               destination </span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>2</span><span
style='font-family:"Microsoft YaHei"'>）禁止端口<span lang=EN-US>135</span>的<span
lang=EN-US>tcp</span>数据包</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=836 valign=top style='width:836.15pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>[root@localhost
  ~]# <b>iptables -t filter -A INPUT -p tcp --dport 135 -j DROP          //</b></span></code><code><b><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>添加记录，忽略</span></b></code><code><b><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>135</span></b></code><code><b><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>端口的</span></b></code><code><b><span
  lang=EN-US style='font-size:10.0pt;line-height:200%;font-family:Menlo'>tcp</span></b></code><code><b><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>数据包</span></b></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'> </span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>[root@localhost
  ~]# <b>iptables –L         //</b></span></code><code><b><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>查看表，已经加入规则</span></b></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>Chain INPUT
  (policy ACCEPT)</span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>target     prot
  opt source               destination         </span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>ACCEPT     all 
  --  anywhere             anywhere            state RELATED,ESTABLISHED </span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>DROP       tcp 
  --  anywhere             anywhere            tcp dpt:epmap </span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='text-indent:21.0pt;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>3</span><span
style='font-family:"Microsoft YaHei"'>）禁止目标地址访问本机</span></p>

<table class=a0 border=1 cellspacing=0 cellpadding=0 width="95%"
 style='width:95.0%;margin-left:24.1pt;border-collapse:collapse;border:none'>
 <tr style='height:14.9pt'>
  <td width=836 valign=top style='width:836.15pt;border:solid windowtext 1.0pt;
  background:#E7E6E6;padding:0cm 5.4pt 0cm 5.4pt;height:14.9pt'>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>[root@localhost
  ~]# <b>iptables -A INPUT -s 192.168.1.110 -j DROP                          
  //</b></span></code><code><b><span style='font-size:10.0pt;line-height:200%;
  font-family:DengXian'>禁止</span></b></code><code><b><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>110</span></b></code><code><b><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>地址访问本机</span></b></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>[root@localhost
  ~]# <b>iptables -L |grep DROP                                                  
  //</b></span></code><code><b><span style='font-size:10.0pt;line-height:200%;
  font-family:DengXian'>查看</span></b></code><code><b><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>filter</span></b></code><code><b><span
  style='font-size:10.0pt;line-height:200%;font-family:DengXian'>表，已经添加记录</span></b></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>DROP       tcp 
  --  anywhere             anywhere            tcp dpt:epmap </span></code></p>
  <p class=MsoNormal style='line-height:200%'><code><span lang=EN-US
  style='font-size:10.0pt;line-height:200%;font-family:Menlo'>DROP       all 
  --  192.168.1.110        anywhere   </span></code></p>
  </td>
 </tr>
</table>

<p class=MsoNormal style='line-height:200%'><span lang=EN-US style='font-family:
"Microsoft YaHei"'>&nbsp;</span></p>

<p class=MsoNormal style='line-height:200%'><span lang=EN-US style='font-family:
"Microsoft YaHei"'>&nbsp;</span></p>

<p class=MsoNormal style='line-height:200%'><span lang=EN-US style='font-family:
"Microsoft YaHei"'>&nbsp;</span></p>

<p class=MsoNormal style='line-height:200%'><span lang=EN-US style='font-family:
"Microsoft YaHei"'>&nbsp;</span></p>

<p class=MsoNormal align=center style='text-align:center;line-height:200%'><span
lang=EN-US style='font-family:"Microsoft YaHei"'>Copyright@david 
zhytwj2018@163.com</span></p>

</div>

</body>

</html>
